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Preface 



This volume contains the proceedings of the 14th International Conference on 
Concurrency Theory (CONCUR 2003) held in Marseille, France, September 3-5, 
2003. The conference was hosted by the Universite de Provence and the Labo- 
ratoire d’Informatique Fondamentale de Marseille (LIF). 

The purpose of the CONCUR conferences is to bring together researchers, 
developers, and students in order to advance the theory of concurrency, and 
promote its applications. Interest in this topic is continuously growing, as a 
consequence of the importance and ubiquity of concurrent systems and their 
applications, and of the scientific relevance of their fundations. The scope of 
the conference covers all areas of semantics, logics, and verification techniques 
for concurrent systems. Topics include concurrency-related aspects of: models of 
computation and semantic domains, process algebras, Petri nets, event structu- 
res, real-time systems, hybrid systems, decidability, model-checking, verification 
and refinement techniques, term and graph rewriting, distributed programming, 
logic constraint programming, object-oriented programming, types systems and 
algorithms, case studies, and tools and environments for programming and ve- 
rification. 

Of the 107 papers submitted this year, 29 were accepted for presentation. 
Four invited talks were given at the conference: on Distributed Monitoring of 
Concurrent and Asynchronous Systems by Albert Beneveniste, on Quantitative 
Verification via the MU-Calculus by Luca De Alfaro, on Input-Output Auto- 
mata: Basic, Timed, Hybrid, Probabilistic, Dynamic, ... by Nancy Lynch, and 
on Composition of Cryptographic Protocols in a Probabilistic Polynomial- Time 
Process Calculus by Andre Scedrov. 

Several workshops were organized together with CONCUR: 

— EXPRESS, Expressiveness in Concurrency, organized by Flavio Corradini 
and Uwe Nestmann; 

— FOCLASA, Foundations of Coordination Languages and Software Architec- 
tures, organized by Antonio Brogi, Jean-Marie Jacquet and Ernesto Pimen- 
tel; 

— INFINITY, Verification of Infinite State Systems, organized by Philippe 
Schnoebelen; 

— FORMATS, Formal Modelling and Analysis of Timed Systems, organized 
by Peter Niebert; 

— GETCO, Geometric and Topological Methods in Concurrency, organized by 
Ulrich Fahrenberg; 

~ CMCIM, Categorical Methods for Concurrency, Interaction, and Mobility, 
organized by Thomas Hildebrandt and Alexander Kurz; 

— BioConcur, Concurrent Models in Molecular Biology, organized by Vincent 
Danos and Cosimo Laneve; 

— SPV, Security Protocols Verification, organized by Michael Rusinowitch. 




VI 
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Abstract. Developing applications over a distributed and asynchronous 
architecture without the need for synchronization services is going to be- 
come a central track for distributed computing. This research track will 
be central for the domain of autonomic computing and self-management. 
Distributed constraint solving, distributed observation, and distributed 
optimization, are instances of such applications. This paper is about 
distributed observation: we investigate the problem of distributed mo- 
nitoring of concurrent and asynchronous systems, with application to 
distributed fault management in telecommunications networks. 

Our approach combines two techniques: compositional unfoldings to 
handle concurrency properly, and a variant of graphical algorithms and 
belief propagation, originating from statistics and information theory. 

Keywords: asynchronous, concurrent, distributed, unfoldings, event 
structures, belief propagation, fault diagnosis, fault management 



1 Introduction 

Concurrent and distributed systems have been at the heart of computer science 
and engineering for decades. Distributed algorithms [18,25] have provided the 
sound basis for distributed software infrastructures, providing correct commu- 
nication and synchronization mechanisms, and fault tolerance for distributed 
applications. Consensus and group membership have become basic services that 
a safe distributed architecture should provide. Formal models and mathematical 
theories of concurrent systems have been essential to the development of langu- 
ages, formalisms, and validation techniques that are needed for a correct design 
of large distributed applications. 

However, the increasing power of distributed computing allows the develop- 
ment of applications in which the distributed underlying architecture, the func- 
tion to be performed, and the data involved, are tightly interacting. Distributed 
optimization is a generic example. In this paper, we consider another instance of 

* This work is or has been supported in part by the following projects: MAGDA, 
MAGDA2, fnnded by the ministery of research. Other partners of these projects 
were or are: Alcatel, France Telecom R&D, Hog, Paris-Nord University. 
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those problems, namely the problem of inferring, from measurements, the hidden 
internal state of a distributed and asynchronous system. Such an inference has 
to be performed also in a distributed way. An important application is distribu- 
ted alarm correlation and fault diagnosis in telecomunications networks, which 
motivated this work. 

The problem of recovering state histories from observations is pervasive 
throughout the general area of information technologies. As said before, it is 
central in the area of distributed algorithms [18,25], where it consists in sear- 
ching for globally coherent sets of available local states, to form the global state. 
In this case the local states are available. Extending this to the case when the 
local states themselves must be inferred from observations, has been considered 
in other areas than computer science. For instance, estimating the state trajec- 
tory from noisy measurements is central in control engineering, with the Kalman 
filter as its most popular instance [16]; the same problem is considered in the 
area of pattern recognition, for stochastic finite state automata, in the theory 
of Hidden Markov Models [24]. For both cases, however, no extension exists to 
handle distributed systems. The theory of Bayesian networks in pattern reco- 
gnition addresses the problem of distributed estimation, by proposing so-called 
belief propagation algorithms, which are chaotic and asynchronous iterations 
to perform state estimation from noisy measurements [19,20,23]. On the other 
hand, systems with dynamics (e.g., automata) are not considered in Bayesian 
networks. Finally, fault diagnosis in discrete event systems (e.g., automata) has 
been extensively studied [6,27], but the problem of distributed fault diagnosis 
for distributed asynchronous systems has not been addressed. 

This paper is organized as follows. Our motivating application, namely dis- 
tributed alarm correlation and fault diagnosis, is discussed in Sect. 2. Its main 
features are: the concurrent nature of fault effect propagation, and the need for 
distributed supervision, where each supervisor knows only the restriction, to its 
own domain, of the global system model. Our goal is to compute a coherent set 
of local views for the global status of the system, for each supervisor. We follow 
a true concurrency approach. A natural candidate for this are 1-safe Petri nets 
with branching processes and unfoldings. Within this framework, we discuss in 
Sect. 3 a toy example in detail. The mathematical background is recalled in 
Sect. 4.1. As our toy example shows, two non classical operators are needed: a 
projection (to formalize what a local view is), and a composition (to formalize 
the cooperation of supervisors for distributed diagnosis) . Occurrence nets, bran- 
ching processes, and unfoldings will be shown to be not closed under projection, 
and thus inadequate to support these operations. Therefore, projection and com- 
position are introduced for event structures (in fact, for “condition structures”, a 
variant of event structures in which events are re-interpreted as conditions) . This 
material is developed in Sect. 4.2. It allows us to formally express our problem, 
which is done in Sect. 5. 

With complex interaction and several supervisors, the algorithm quickly be- 
comes intractable, with no easy implementation. Fortunately, it is possible to 
organize the problem into a high-level orchestration of low-level primitives, ex- 
pressed in terms of projections and compositions of condition structures. This 
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orchestration is obtained by deriving, for our framework, a set of key properties 
relating condition structures, their projections, and their compositions. Further 
analysing these key properties shows that they are shared by basic problems such 
as: distributed combinatorial constraint solving, distributed combinatorial opti- 
mization, and Bayesian networks estimation. Fortunately, chaotic distributed 
and asynchronous iterations to solve these problems have been studied; perhaps 
the most well-known version of these is that of belief propagation in belief net- 
works [19,20,23]. Our high-level orchestration is derived from these techniques, 
it is explained in Sect. 6. In addition, this approach allows us to consider maxi- 
mum likelihood estimation of fault scenarios, by using a probabilistic model for 
fault propagation. 

Missing details and proofs can be found in the extended version [1]. 

2 Motivating Application: Fault Management in 
Telecommunication Networks^ 

Distributed self-management is a key objective in operating large scale infra- 
structures. Fault management is one of the five classical components of manage- 
ment, and our driving application. Here, we consider a distributed architecture 
in which each supervisor is in charge of its own domain, and the different super- 
visors cooperate at constructing a set of coherent local views for their repective 
domains. Of course, the corresponding global view should never be actually com- 
puted. 

To ensure modularity, network management systems are decomposed into 
interconnected Network Elements (NE), composed in turn of several Managed 
Objects (MO). MO’s act as peers providing to each other services for overall fault 
management. Consequently, each MO is equipped with its own fault management 
function. This involves self-monitoring for possible own internal sources of fault, 
as well as propagating, to clients of the considered MO, the effect of one of its 
servers getting disabled. 

Because of this modularity, faults propagate throughout the management 
system: when a primary fault occurs in some MO, that MO emits an alarm to the 
supervisor, sends a message to its neigbours, and gets disabled. Its neighbouring 
MOs receive the message, recognize their inability to deliver their service, get 
disabled, emit alarms, and so on. 

Figure 1 shows on the left hand side the SDH/SONET ring in operation 
in the Paris area (the locations indicated are subsurbs of Paris). A few ports 
and links are shown. The right diagram is a detailed view of the Montrouge 
node. The nested light to mid gray rectangles represent the different layers in 
the SDH hierarchy, with the largest one being the physical layer. The different 
boxes are the MOs, and the links across the different layers are the paths for 
upward/downward fault propagation. Each MO can be seen as an automaton 

® This section has been prepared with the help of with Armen Aghasaryan Alcatel 
Research & Innovation, Next Generation Network and Service Management Project, 
Alcatel R&I, Route de Nozay, Marcoussis, 91461 France 
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Fig. 1. The Paris area SDH/SONET ring (left), and a detail of the Montrouge node 
(right). The different levels of the SDH hierarchy are shown: SPI, RS, etc. 



St Ouen Aubervilliers 




Fig. 2. A fanlt propagation scenario distributed across the fonr different sites. The 
dashed arrows indicate distant propagation. The cryptic names are SDH/SONET fault 
labels. 



reacting to input events/messages, changing its state, and emitting events and 
alarms to its neighbours, both co-located and distant. Figure 2 shows a realistic 
example of a fault propagation scenario distributed across the four different sites. 

To summarize, the different supervisors are distributed, and different MO’s 
operate concurrently and asynchronously within each supervisor. 

3 Informal Discussion of an Example 

If all variables involved in the above scenarios possess a finite domain, we can 
represent these in an enumerative form. This suggests using safe Petri nets with 
a true concurrency semantics to formalize distributed fault diagnosis. 
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Presenting the Example, and the Problem. Our example is shown in 
Fig. 3-lst diagram, in the form of a labeled Petri net, with two interacting 
components, numbered 1 and 2. Component 2 uses the services of component 
1, and therefore may fail to deliver its service when component 1 is faulty. The 
two components interact via their shared places 3 and 7, represented by the 
gray zone; note that this Petri net is safe, and that the two places 3 and 7 are 
complementary. 

Component 1 has two private states: safe, represented by place 1, and faulty, 
represented by place 2. Upon entering its faulty state, component 1 emits an 
alarm j3. The fault of component 1 is temporary, thus self-repair is possible and 
is represented by the label p. Component 2 has three private states, represented 
by places 4, 5, 6. State 4 is safe, state 6 indicates that component 2 is faulty, and 
state 5 indicates that component 2 fails to deliver its service, due to the failure 
of component 1. Fault 6 is permanent and cannot be repaired. 

The failure of component 2 caused by a fault of component 1 is modeled 
by the shared place 3. The monitoring system of component 2 only detects 
that component 2 fails to deliver its service, it does not distinguish between 
the different reasons for this. Hence the same alarm a is attached to the two 
transitions posterior to 4. Since fault 2 of component 1 is temporary, self-repair 
can also occur for component 2, when in faulty state 5. This self-repair is not 
synchronized with that of component 1, but bears the same label p. Finally, 
place 7 guarantees that fault propagation, from component 1 to 2, is possible 
only when the latter is in safe state. 

The initial marking consists of the three states 1,4,7. Labels (alarms a, (3 
or self-repair p) attached to the different transitions or events, are generically 
referred to as alarms in the sequel. 

Three different setups can be considered for diagnosis, assuming that messa- 
ges are not lost: 

Setup Si: The successive alarms are recorded in sequence by a single supervi- 
sor, in charge of fault monitoring. The sensor and communication infrastruc- 
ture guarantees that causality is respected: for any two alarms such that a 
causes o', a is recorded before o?'. 

Setup S2: Each sensor records its local alarms in sequence, while respecting 
causality. The different sensors perform independently and asynchronously, 
and a single supervisor collects the records from the different sensors. Thus 
any interleaving of the records from different sensors is possible, and causa- 
lities among alarms from different sensors are lost. 

Setup S3: The fault monitoring is distributed, with different supervisors coope- 
rating asynchronously. Each supervisor is attached to a component, records 
its local alarms in sequence, and can exchange supervision messages with 
the other supervisors, asynchronously. 

A Simple Solution? For setup Si, there is a simple solution. Call A the 
recorded alarm sequence. Try to fire this sequence in the Petri net from the 
initial marking. Each time an ambiguity occurs (two transitions may be fired 
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explaining the next event in ^), a new copy of the trial (a new Petri net) is 
instanciated to follow the additional firing sequence. Each time no transition 
can be fired in a trial to explain a new event, the trial is abandoned. Then, at 
the end of A, all the behaviours explaining A have been obtained. Setup S 2 can 
be handled similarly, by exploring all interleavings of the two recorded alarm 
sequences. However, this direct approach does not represent efficiently the set of 
all solutions to the diagnosis problem. 

In addition, this direct approach does not work for Setup S3. In this case, no 
supervisor knows the entire net and no global interleaving of the recorded alarm 
sequences is available. Maintaining a coherent set of causally related local dia- 
gnoses becomes a difficult problem for which no straightforward solution works. 
The approach we propose below addresses both the Setup S3 and the efficient 
representation of all solutions, for all setups. 



An Efficient Data Structure to Represent All Runs. Figure 3 shows 
our running example. The Petri net V is repeated on the 2nd diagram: the 
labels a,P,p have been discarded, and transitions are Places 

constituting the initial marking are indicated by thick circles. 

The mechanism of constructing a run of V in the form of a partial order is 
illustrated in the 2nd and 3rd diagrams. Initialize any run of V with the three 
conditions labeled by the initial marking (1,7,4). Append to the pair (1,7) a 
copy of the transition (1,7) — >■ i — >■ (2,3). Append to the new place labeled 2 
a copy of the transition (2) — >• in — >• (1). Append, to the pair (3,4), a copy of 
the transition (3, 4) — >• zri — >• (7, 5) (this is the step shown). We have constructed 
(the prefix of) a run of V. Now, all runs can be constructed in this way. Different 
runs can share some prefix. 

In the 4th diagram we show (prefixes of) all runs, by superimposing their 
shared parts. The gray part of this diagram is a copy of the run shown in the 




Fig. 3. Running example in the form of a Petri net (left), and representing its runs in 
a branching process. Petri nets are drawn by using directed arrows; on the other hand, 
since occurrence nets are acylic, we draw them using nondirected branches which have 
to be interpreted as implicitly directed toward bottom. 
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3rd diagram. The alternative run on the extreme left of this diagram (it involves 
successive transitions labeled ii, in, i) shares only its initial places with the run in 
gray. On the other hand, replacing, in the gray run, the transition labeled iv by 
the one labeled v yields another run which shares with the gray one its transitions 
respectively labeled by i and by in. This 4th diagram is a branching process of V, 
we denote it by U-p] it is a net without cycle, in which the preset of any condition 
contains exactly one event. Nodes of Up are labeled by places/ transitions of V 
in such a way that the two replicate each other, locally around transitions. 

Terminology. When dealing with branching processes, to distinguish from the 
corresponding concepts in Petri nets, we shall from now on refer to conditi- 
ons/events instead of places/transitions. 

Asynchronous Diagnosis with a Single Sensor and Supervisor. Here we 
consider setup Si, and our discussion is supported by Fig. 4. The 1st diagram of 
this figure is the alarm sequence j3, a, p, p, /?, a recorded at the unique sensor. It is 
represented by a cycle-free, linear Petri net, whose conditions are not labeled — 
conditions have no particular meaning, their only purpose is to indicate the 
ordering of alarms. Denote hy A' = f3 ^ a ^ p the shaded prefix of A. 

The 2nd diagram shows the net Ua'xp, obtained by unfolding the product 
A' X V using the procedure explained in the figure 3. The net U_a^>xp shows how 
successive transitions of V synchronize with transitions of Al having identical 
label, and therefore explain them. 

Since we are not interested in the conditions originating from A! , we remove 
them. The result is shown on the 3rd diagram. The dashed line labeled ori- 




Fig. 4. Asynchronous diagnosis with a single sensor: showing an alarm sequence A 
(1st diagram), the explanation of the prefix A' = j3^a^paa the branching process 
Ua'xv (2nd and 3rd diagrams), and its full explanation in the form of a net UpA (4th 
diagram). In these diagrams, all branches are directed downwards unless otherwise 
explicitly stated. 
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Fig. 5. Asynchronous diagnosis with two independent sensors: showing an alarm pat- 
tern A (middle) consisting of two concurrent alarm sequences, and its explanation in 
the form of a branching process Ut;a (right) . 




supervisor 1 supervisor 2 

Fig. 6. Distributed diagnosis: constructing two coherent local views of the branching 
process Ut;a of Fig. 5 by two supervisors cooperating asynchronously. 



ginates from the corresponding conflict in Ua'xv that is due to two different 
conditions explaining the same alarm p. Thus we need to remove, as possible 
explanations of the prefix, all runs of the 3rd diagram that contain the ^-linked 
pair of events labeled p. All remaining runs are valid explanations of the subse- 
quence 13, a, p. 

Finally, the net U-pA shown in the 4th diagram contains a prefix consisting 
of the nodes filled in dark gray. This prefix is the union of the two runs k\ and 
«2 of V, that explain A. 
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Asynchronous Diagnosis with Two Independent Sensors but a Single 
Supervisor. Focus on setup S2, in which alarms are recorded by two indepen- 
dent sensors, and then collected at a single supervisor for explanation. Figure 5 
shows the same alarm history as in Fig. 4, except that it has been recorded by 
two independent sensors, respectively attached to each component. The super- 
visor knows the global model of the system, we recall it in the 1st diagram of 
Fig. 5. 

The two “repair” actions are now distinguished since they are seen by diffe- 
rent sensors, this is why we use different labels: pi, P 2 - This distinction reduces 
the ambiguity: in Fig. 5 we suppress the white filled path (2) — >• p — >• (1) that 
occured in Fig. 4. On the other hand, alarms are recorded as two concurrent 
sequences, one for each sensor, call the whole an alarm pattern. Causalities bet- 
ween alarms from different components are lost. This leads to further ambiguity, 
as shown by the longer branch (1) — >• /3 — >• (2) — >• pi — >• (1) — >• /? — >• (2) in Fig. 5, 
compare with Fig. 4. 

The overall result is shown in Fig. 5, and the valid explanations for the entire 
alarm pattern are the two configurations k\ and K 2 filled in dark gray. 



Distributed Diagnosis with Two Concurrent Sensors and Supervisors. 

Consider setup S3, in which alarms are recorded by two independent sensors, 
and processed by two local supervisors which can communicate asynchronously. 
Figure 6 shows two branching processes, respectively local to each supervisor. 
For completeness, we have shown the information available to each supervisor. 
It consists of the local model of the component considered, together with the 
locally recorded alarm pattern. The process constructed by supervisor 1 involves 
only events labeled by alarms collected by sensor 1, and places that are either 
local to component 1 (e.g., 1, 2) or shared (e.g., 3, 7); and similarly for the process 
constructed by supervisor 2. 

The 3rd diagram of Fig. 5 can be recovered from Fig. 6 in the following 
way: glue events sitting at opposite extremities of each thick dashed arrow, 
identify adjacent conditions, and remove the thick dashed arrows. These dashed 
arrows indicate a communication between the two supervisors, let us detail the 
first one. The first event labeled by alarm [3 belongs to component 1, hence 
this explanation for (3 has to be found by supervisor 1. Supervisor 1 sends an 
abstraction of the path (1, 7) — >■ /3 — >■ (2, 3) by removing the local conditions 1, 2 
and the label f3 since the latter do not concern supervisor 2. Thus supervisor 
2 receives the path (7) —>■[]—>■ (3) to which it can append its local event 
(3,4) — >• a — >• (7,5); and so on. 



Discussion. The cooperation between the two supervisors needs only asynchro- 
nous communication. Each supervisor can simply “emit and forget.” Diagnosis 
can progress concurrently and asynchronously at each supervisor. For example, 
supervisor 1 can construct the branch [1— >-/3— >-2— >-pi— >-1— >-/3— >-2]as 
soon as the corresponding local alarms are collected, without ever synchronizing 
with supervisor 2. This technique extends to distributed diagnosis with several 
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Fig. 7. Illustrating the problem of representating causality, conflict, and concurrency 
with an occurrence net. The 1st diagram represents a set of conditions together with a 
causality relation depicted by branches, and a conflict relation whose source is indicated 
by the symbol The 2nd diagram interpolates the 1st one as an occurrence net. (Arcs 
are assumed directed downwards.) 



supervisors. But the algorithm for this general case is indeed very tricky, and its 
analysis is even more so. Thus, theoretical study is really necessary, and this is 
the main subject of the remainder of this paper. 

As Fig. 4 and Fig. 6 indicate, we need projection and composition operations 
on branching processes. Focus on projections. Projecting away, from an occur- 
rence net, a subset of conditions and events, can be performed by taking the re- 
striction, to the subset of remaining conditions, of the two causality and conflict 
relations. An instance of resulting structure is shown in Fig. 7-left. A possible 
interpolation in the form of an occurrence net is shown in Fig. 7-right. Such an 
interpolation is not unique. In addition, the introduction of dummy conditions 
and events becomes problematic when combining projections and compositions. 

We need a class of data structures equipped with causality and conflict relati- 
ons, that is stable under projections. The class of event structures is a candidate. 
However, since diagnosis must be explained by sets of state histories, we need 
to handle conditions, not events. For this reason, we rather consider condition 
structures, as introduced in the next section. 

4 Mathematical Framework: Nets, Unfoldings, and 
Condition Structures 

4.1 Prerequisites on Petri nets and Their Unfoldings [6, 8, 26] 

Petri nets. A net is a triple Af = {P, T, — >■), where P and T are disjoint sets of 
places and transitions, and — >■ C (P x T) U (T x P) is the flow relation. Reflexive 
and irreflexive transitive closures of a relation are denoted by the superscripts 
(.)* and (.)+, respectively. Deflne ^ = — >■* and ^ Places and transitions 

are called nodes, generically denoted by x. For x G PUT, we denote by *x = {y \ 
j/ — >■ x} the preset of node x, and hy x* = {y : x ^ y} its postset. For X C PUT, 
we write *X = Ua;ex ~ ^ homomorphism from a net Af to 

a net Af' is a map tp : PUT i— >■ P'UT' such that: (i) (p (P) C P', p (T) C T' , and 
(ii) for every transition t of Af, the restriction of p to *t is a bijection between 
*t and (t), and the restriction of p to t* is a bijection between t* and ip (t)*. 
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For M a net, a marking of A/” is a multiset M of places, i.e., a map M : P ^ 
{0, 1,2,.. .}. A Petri net is a pair V = (Af, Mq), where Af is a net having finite 
sets of places and transitions, and Mq is an initial marking. A transition t £ T 
is enabled at marking M if M(p) > 0 for every p £ *t. Such a transition can fire, 
leading to a new marking M' = M — *t + 1* , denoted by M[t)M' . Petri net V is 
safe if M{P) C {0, 1} for every reachable marking M. Throughout this paper, 
we consider only safe Petri nets, hence marking M can be regarded as a subset 
of places. 

For Mi = {Pi,Ti, — >-i}, i = 1, 2, two nets such that Ti fl T 2 = 0, their parallel 
composition is the net 

Ml II M2 =def {Pi U P2,Ti U T2, —>-1 U -^2)- 

Petri nets and occurrence nets inherit this notion. For Petri nets, we adopt the 
convention that the resulting initial marking is equal to Mi^ U M2p, the union 
of the two initial markings. We say that Mi || M2 has no distributed conflict if: 

VpGPinP2,3iG{l,2}:p*CT,. (1) 

Note that our example of Fig. 3 satisfies (1). This is a reasonable assumption 
in our context, since shared places aim at representing the propagation of faults 
between components. Having distributed conflict would have no meaning in this 
case. A study of this property in the context of the synthesis of distributed 
automata via Petri nets is available in [5]. 

For M = (P,T,^) a net, a labeling is a map \ T ^ A, where A is some 
finite alphabet. A net M= (P,T, —>■, A) equipped with a labeling A is called a 
labeled net. For A/i = {P^, Tj, — >-i, A^}, i = 1,2, two labeled nets, their product 
Ml X M2 is the labeled net (P, T, — >■, A) defined as follows: P = Pi l±l P 2 , where l±l 
denotes the disjoint union, and: 

r {t =def P G Ti I Ai(ti) G Ai \ A2} 

T = < U {t =def (^1,^2) G Ti X T2 I Ai(ti) = A 2 (t 2 )} 

[ U {t =def ^2 G T2 I \ 2 {t 2 ) G A2 \ Ai} , 

{ p £ Pi and p — >■! ti for case (i) 

3 i = 1,2 ■. p £ Pi and p -£i ti for case (ii) 
p £ P2 and p -£2 t2 for case (iii) 

and t — >■ p is defined symmetrically. In cases (i,iii) only one net fires a transition 
and this transition has a private label, while the two nets synchronize on transi- 
tions with identical labels in case (ii) . Petri nets and occurrence nets inherit the 
above notions of labeling and product. 

The language C-p of labeled Petri net V is the subset of A* consisting of the 
words A(ti), A(t 2 ), A(t 3 ), . . ., where Mn[ti) Mi[t2) M2[tz) M3 . . . ranges over the set 
of finite firing sequences of P . Note that Cp is prefix closed. 

Occurrence Nets and Unfoldings. Two nodes x, x' of a net M are in conflict, 
written xffx', if there exist distinct transitions t,t' £ T, such that *t fl yf 0 



(i) 

(ii) 

(iii) 
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and t < x,t' < x' . A node x is in self-conflict if xffx. An occurrence net is a net 
O = (B,E,^), satisfying the following additional properties: 

(i) yx G B U E : -i[xffx] (no node is in self-conflict); 

(ii) yx £ B U E : ~t[x -< x] is a partial order); 

(iii) Va; G S U i? : |{y : 2/ A x}| < oo is well founded); 

(iv) Mb £ B ■. |*&| < 1 (each place has at most one input transition). 

We will assume that the set of minimal nodes of O is contained in B, and 
we denote by min(i?) or min(O) this minimal set. Specific terms are used to 
distinguish occurrence nets from general nets. B is the set of conditions, E is 
the set of events, A is the causality relation. We say that node x is causally 
related to node x' ifi x ^ x'. Nodes x and x' are concurrent, written xl-x' , if 
neither x < x' , nor x ^ x' , nor xffx' hold. A conflict set is a set A of pairwise 
conflicting nodes, i.e. a clique of #; a co-set is a set X of pairwise concurrent 
conditions. A maximal (for set inclusion) co-set is called a cut. A configuration 
is a sub-net k of O, which is conflict-free (no two nodes are in conflict), causally 
closed (if x' < X and x £ k, then x' £ k), and contains min(O). We take the 
convention that maximal nodes of configurations shall be conditions. 

A branching process of Petri net P is a pair B = where O is an 

occurrence net, and (p is & homomorphism from O to V regarded as nets, such 
that: (i) the restriction of p to min(O) is a bijection between min(O) and Mq 
( the set of initially marked places), and (ii) for all e, e' £ E, *e = *e' and 
p (e) = p (e') together imply e = e'. By abuse of notation, we shall sometimes 
write min(,B) instead of min(O). The set of all branching processes of Petri net 
V is uniquely defined, up to an isomorphism (i.e., a renaming of the conditions 
and events), and we shall not distinguish isomorphic branching processes. For 
B, B' two branching processes, B' is a prefix of B, written B' C B, if there exists 
an injective homomorphism ip from B' into B, such that ‘tp(miii(B')) = min(,B), 
and the composition poif coincides with p' , where o denotes the composition 
of maps. By theorem 23 of [ 9 ], there exists (up to an isomorphism) a unique 
maximum branching process according to C, we call it the unfolding of V, and 
denote it by U-p. Maximal configurations of Up are called runs of P. 

4.2 Condition Structures 

Occurrence nets give rise in a natural way to (prime) event structures [ 22 ]: a 
prime event structure is a triple S = {E, where Ex E is a, partial order 

such that (i) for all e £ E, the set {e' £ E \ e' ^ e} is finite, and (ii) ff C E x E 
is symmetric and irreflexive, and such that for all 61,62,63 £ E, 61^62 and 
62 ^ 63 imply that Ciffe^. Obviously, “forgetting” the net interpretation of an 
occurrence net yields an event structure, and even restricting to the event set E 
does. This is the usual way of associating nets and event structures, and explains 
the name. Below, we will use event structures whose elements are interpreted as 
conditions in the sense of occurrence nets. To avoid confusion, we will speak of 
condition structures, even if the mathematical properties are invariant under this 
change of interpretation. Restricting an occurrence net to its set of conditions 
yields a condition structure. 
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Condition structures are denoted by C = {B, Denote by — >■ the succes- 

sor relation, i.e., the transitive reduction of the relation For b G B, we denote 
by *6 and 6* the preset and postset of b in {B, — >•), respectively. For C' C C two 
condition structures, define the preset *C' = UheC' postset C'* is defined 

similarly. The prefix relation on condition structures is denoted by C. If C' C C 
are two condition structures, we write 

C' ^ & iff 5 G C" but b ^ C', (2) 

and we say that b is an extension of C . Each condition structure C = {B, 
induces a concurrency relation defined by bU)' iff neither b ^ b' nor b' <b nor 
b^b' holds. Two conditions b, b' are called in immediate conflict iff bfl^b' and V6" 
such that b” -< b, then and symmetrically. 

For C = (B, ^,#) a condition structure, a labeling is a map ip : B i-G- P, 
where P is some finite alphabet^. We shall not distinguish labeled condition 
structures that are identical up to a bijection that preserves labels, causalities, 
and conflicts; such condition structures are called 

equivalent, denoted by the equality symbol = (3) 

For C = {B, #, (f) and C' = {B', P' , p') two labeled condition structures, 

a (partial) morphism ip : C C' 

is a surjective function B D dom{ip) i— B' such that ip{P) DA' and ipiflf) D 
(causalities and conflicts can be erased but not created), which is in addition 
label preserving, i.e., V6 G dom{ip), p'{ip{b)) = p{b). Note that ip{P) is 
equivalent to \/b G B : *ip{b) C ip{*b). For X C B, define, for convenience: 

ip{X) =def ip{X n dom{ip)), with the convention ip{tj)) = nil. (4) 

C and C are isomorphic, written C ~ C', if there exist two morphisms ip' : C i-G C' 
and Ip” : C' i-G C. It is not true in general that C ^ C' implies C = C' in the sense 
of (3). However: 

Lemma 1. If C and C are finite, then C ^ C implies C = C . 

Be careful that C = C means that C and C are equivalent, not “equal” in 
the naive sense — we will not formulate this warning any more. To be able to 
use lemma 1, we shall henceforth assume the following, where the height of a 
condition structure is the least upper bound of the set of all lengths of finite 
causal chains b^ ^ b\ ^ ^ bp. 

'' The reader may be surprised that we reuse the symbols P and p for objects that 
are different from the set of places P of some Petri net and the homomorphism 
p associated with its unfolding. This notational overloading is indeed intentional. 
We shall mainly use condition structures obtained by erasing events in unfoldings: 
restricting the homomorphism p\ BVJE\-^PVJT to the set of conditions B yields 
a labeling B i— >■ P in the above sense. 




14 



A. Benveniste et al. 



Assumption 1 All condition structures we consider are of finite width, meaning 
that all prefixes of finite height are finite. 



In this paper, we will consider mainly labeled condition structures satisfying the 
following property, we call them trimmed condition structures: 



V6, b' €B 



•b = *b' 

and (fi{b) = ip {b') 



b=b'. 



( 5 ) 



Condition (5) is similar to the irreducibility hypothesis found in branching pro- 
cesses. It is important when considering the projection operation below, since 
projections may destroy irreducibility. 

A trimming procedure can be applied to any labeled condition structure C = 
as follows: inductively by starting from min(C), identify all pairs 
(6, &') of conditions such that both *b = *b' and p{b) = p{b') hold in C. This 
procedure yields a triple {B, A, p), and it remains to define the trimmed conflict 
relation ff, or, equivalently, the trimmed concurrency relation X. Define 5 X 6' iff 
6X6' holds for some pair (6, 6') of conditions mapped to (6, 6') by the trimming 
procedure. This defines C = {B,<,ff,p). 

It will be convenient to consider the following canonical form for a labe- 
led trimmed condition structure. Its conditions have the special inductive form 
(X,p), where A is a co-set of C and p G P. The causality relation ^ is simply en- 
coded by the preset function *{X,p) = X, and the labeling map is p (X,p) = p. 
Conditions with empty preset have the form (nil,p), i.e., the distinguished sym- 
bol nil is used for the minimal conditions of C. The conflict relation is specified 
separately. Unless otherwise specified, trimmed condition structures will be as- 
sumed in canonical form. 

For C = (B,fi,,ff,p) a trimmed labeled condition structure, and Q C P a, 
subset of its labels, the projection of C on Q, denoted by IIq(C), is defined as 
follows. Take the restriction of C to p~^{Q), we denote it by C| . By this 
we mean that we restrict B as well as the two relations ^ and ff. Note that 
^\v~\Q) trimmed any more. Then, applying the trimming procedure to 

^\v~\Q) yields IIq(C), which is trimmed and in canonical form. By abuse of 
notation, denote by IIq( 6) the image of 6 G C| <^-i(q) under this operation. The 
projection possesses the following universal property: 

ng(c) 

yfi) : C i-G C , and C has label set Q => 3f/:' : i'i’' (6) 

C 

In (6), symbols ,T\q are morphisms, and the diagram commutes. 

The composition of the two trimmed condition structures Ci = {Bi,<i 
, ffi, Pi), i = 1, 2, where labeling pi takes its values in alphabet Pi, is the condi- 
tion structure 

Cl A C 2 = {B, <, ff, p), with two associated morphisms 
: Cl AC 2 Ci,i = 1,2, 



( 7 ) 
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satisfying the following universal property: 

C' C 

V V i'f' (8) 

Cl C2 Cl Cl A C2 C2 

In (8), the t/^’s denote morphisms, and the second diagram commutes. The com- 
position is inductively defined as follows (we use the canonical form): 

1. min(Ci A C 2 ) =def min(Ci) U min(C 2 ), where we identify {nil,p) € Ci and 
{nil,p) G C 2 for p G Pi fl ^ 2 - The causality relation and labeling map follow 
from the canonical form, and ^ =def #1 U ^ 2 - The canonical surjections 
i/jj : min(Ci A C 2 ) 1 — >■ min(Cj), i = 1, 2 are morphisms. 

2. Assume C' =def C( AC 2 together with the morphisms i/'i : C' i-A- C' are defined, 
for C' a finite prefix of Ci, and i = 1,2. Then, using (4) we define, for all 
co-sets X of C': 



X C dom{ipi),p G Pi \ P2 

C[ ^ (MX),p) 

X C dom{ipi),p G Pi n P2 

C( ^ iMX),p) 



C'^{X,p) (i) 

C'^{X,p) (i') 



A C dom{ip 2 ),P C -P2 \ C’l 1 
C^ ^ (MX),p) J 
X C dom{tp2),P G -Pi n P2 1 
c^ ^ (MX),P) j 



C'^{X,p) (ii) 
C'^(A,p) (ii') 



P G Pi n P2 ] 

C[^(MX),p)}^ C'^(A,p) (iii) 

C' ^(iA2(A),p) j 

Some comments are in order. The above five rules overlap: if rule (iii) applies, 
then we could have applied as well rule (i’) with Y = X C\ dom{'ipi) in lieu of 
X, and the same for (ii’). Thus we equip rules (i-iii) with a set of priorities 
(a rule with priority 2 applies only if no rule with priority 1 is enabled): 

rules (i,ii,iii) have priority 1, rules (i’,ii’) have priority 2. (9) 

For the five cases (i,i’,ii,ii’,iii), extend ip, i = 1,2 as follows: 

'>Pi{X,Pi) =def {i)i{X),pi) (i,i') 

V’2(A,P2) =def (V’2(A),P2) (ii,ii') 
for i = 1,2 : ipi{X,p) =def (V'i(A),p) (iii), 

where convention (4) is used. 

Using the above rules, define the triple {B,<,p) as being the smallest^ triple 
containing min(Ci A C 2 ), and such that no extension using rules (i,i’,ii,ii’,iii) 

for set inclusion applied to the sets of conditions. 



5 
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applies. It remains to equip the triple (B, tp) with the proper conflict relation. 
The conflict relation # on Ci A C 2 is deflned as follows: 

# is the smallest conflict relation containing U (10) 

Comments. The composition of labeled event structures combines features from 
the product of labeled nets (its use of synchronizing labels) , and from unfoldings 
(its inductive construction). Note that this composition is not strictly synchro- 
nizing, due to the special rules (i’,ii’)> which are essential in ensuring (8). 

4.3 Condition Structures Obtained from Unfoldings 

Consider a Petri net V = {P,T,^, Mq) with its unfolding U-p. Let 

Cp = be the condition structure obtained by erasing the events in 

Up. Such condition structures are of finite width. 

Lemma 2. IfV satisfies the following condition: 

yp G P : t,t' G*p and t t' *t *t' . (11) 

then Cp is a trimmed condition structure, i.e., it satisfies (5). Unless otherwise 
stated, all Petri nets we shall consider satisfy this condition. 

Condition (11) can always be enforced by inserting dummy places and transiti- 
ons, as explained next. Assume that — >■ t — >■ p and *t' -G t' ^ p with t' fi^t but 

*t' — *t. Then, replace the path — >• t — >• p by — >■ t — >■ qt^p — >■ St^p — >■ p, where 

qt^p and St,p are a fresh place and a fresh transition associated to the pair (t,p). 
Perform the same for the other path *t' t' ^ p. This is a mild transformation, 
of low complexity cost, which does not modify reachability properties. 

Important results about condition structures obtained from unfoldings are 
collected below. In this result, 1 =def 0 denotes the empty condition structure, 
and C,Ci,C 2 denote arbitrary condition structures with respective label sets 
P,Pi,P 2 , and label set Q is arbitrary unless otherwise specified. 

Theorem 1. The following properties hold: 



IIpi (C) A IIp 2 (C) = IlpjuPa (C) (aO) 

nPi(IIp 2 (C)) = IIpjnP 2 (C) (al) 

Hp(C) = C (a2) 

vg D Pi n P 2 : ng(Ci a C2) = ng(Ci) a Hq(C 2 ) (a3) 

C A 1 = C (a4) 

CAHq(C)=C (a5) 



4.4 Discussion 

To our knowledge, compositional theories for unfoldings or event structures have 
received very little attention so far. The work of Esparza and Romer [10] inve- 
stigates unfoldings for synchronous products of transition systems. The central 
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issue of this reference is the construction of finite complete prefixes. However, 
no product is considered, for the unfoldings themselves. To our knowledge, the 
work closest to ours is that of J-M. Couvreur et al. [7]-Sect. 4. Their motivati- 
ons are different from ours, since they aim at constructing complete prefixes in a 
modular way, for Petri nets that have the form V = Vi x ... x Vk (synchronous 
product). It is required that the considered Petri nets are not reentrant, a major 
limitation due to the technique used. 

We are now ready to formally state our distributed diagnosis problem. 



5 Distributed Diagnosis: Formal Problem Setting [3] 

We are given the following labeled Petri nets: 

P = {P,T,^, Mo, A) : the underlying “true” system. P is subject to faults, thus 
places from P are labelled by faults, taken from some finite alphabet (the 
non-faulty status is just one particular “fault”). The labeling map A associa- 
tes, to each transition of P, a label belonging to some finite alphabet A of 
alarm labels. For its supervision, P produces so-called alarm patterns, i.e., 
sets of causally related alarms. 

Q Q Q Q. 

Q= (P ,T , — Mq , a ) : Q represents the faulty behaviour of P, as observed 
via the sensor system. Thus we require that: (i) The labeling maps of Q 
and P take their values in the same alphabet A of alarm labels, and (ii) 
Cq a C-p, i.e., the language of Q contains the language of P. In general, 
however, Q ^ P. For example, if a single sensor is assumed, which collects 
alarms in sequence by preserving causalities (as assumed in [3]), then Q is the 
net which produces all linear extensions of runs of P. In contrast, if several 
independent sensors are used, then the causalities between events collected 
by different sensors are lost. Configurations of Q are called alarm patterns. 



Global Diagnosis. Consider the map: A i— >■ UaxVj where A ranges over the 
set of all finite alarm patterns. This map filters out, during the construction 
of the unfolding Up, those configurations which are not compatible with the 
observed alarm pattern A. Thanks to Lemma 2, we can replace the unfolding 
IAaxv by the corresponding condition structure Caxv- Then, we can project 
away, from Caxv, the conditions labeled by places from A (all this is detailed 
in [3]-Theorem 1). Thus we can state: 

Definition 1. Global diagnosis is represented by the following map: 

A ^ Ap{Caxv). (12) 

where A ranges over the set of all finite configurations of Q. 



Modular Diagnosis. Assume that Petri net P decomposes as P = \\i^iPi. 
The different subsystems Pi interact via some shared places, and their sets of 
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transitions are pairwise disjoint. In particular, the alphabet A of alarm labels 
decomposes as A = Ai, where the Ai are pairwise disjoint. Next, we assume 
that each subsystem possesses its own local sets of sensors, and the local sensor 
subsystems are independent, i.e., do not interact. Thus Q also decomposes as 
Q = WisiQi, and the Qi possess pairwise disjoint sets of places. Consequently, 
in (12), A decomposes as ^ = \\i<ziAi, where the Ai, the locally recorded alarm 
patterns, possess pairwise disjoint sets of places too. 

Definition 2. Modular diagnosis is represented by the following map: 

A I — [IIp,(C^x-p)]ig/ , (13) 

where A ranges over the set of all finite prefixes of runs of Q. 

Note that, thanks to Theorem 1, we know that IIp(C_ 4 x'p) = Aie/ ppAC^x-p)] , 
i.e., fusing the local diagnoses yields global diagnosis. However, we need to com- 
pute modular diagnosis without computing global diagnosis. On the other hand, 
the reader should notice that, in general, HpAC_ 4 xp) ^ C^ixVi, expressing the 
fact that the different supervisors must cooperate at establishing a coherent 
modular diagnosis. 



6 Distributed Orchestration of Modular Diagnosis [12, 13] 

This section is essential. It provides a framework for the high-level orchestration 
of the distributed computation of modular diagnosis. We first link our problem 
with the seemingly different areas of distributed constraint solving and distribu- 
ted optimization. 



6.1 A Link with Distributed Constraint Solving 

Consider Theorem 1, and re-interpret, for a while, the involved objects diffe- 
rently. Suppose that our above generic label set P is a set of variables, thus 
p £ P denotes a variable. Then, suppose that all considered variables possess a 
finite domain, and that C generically denotes a constraint on the tuple P of varia- 
bles, i.e., C is a subset of all possible values for this tuple. For Q C P, re-interpret 
ng(C) as the projection of C onto Q. Then, re-interpret A as the conjunction of 
constraints. Finally, 1 is the trivial constraint, having empty set of associated 
variables. It is easily seen that, whith this re-interpretation, properties (a0-a5) 
are satisfied. 

Modular constraint solving consists in computing HpAAje/^f) without com- 
puting the global solution /\-^jCj. Distributed constraint solving consists in 
computing in a distributed way. Thus distributed constraint sol- 

ving is a simpler problem, which is representative of our distributed diagnosis 
problem, when seen at the proper abstract level. 
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A Chaotic Algorithm for Distributed Constraint Solving. We build a 
graph on the index set / as follows: draw a branch (i,j) iff Pi n Pj ^ 0, i.e., 
Ci and Cj interact directly. Denote by Qi the resulting interaction graph. For 
i G I, denote by N(f) the neighbourhood of i, composed of the set of j’s such 
that (t, j) G Gi- Note that N(f) contains i. The algorithm assumes the existence 
of an “initial guess”, i.e., a set of Ci,i G I such that 

C = f\C,, (14) 

iei 

and it aims at computing lip. (C), for i G /, in a chaotic way. In the following 
algorithm, each site i maintains and updates, for each neighbour j, a message 
A4ij toward j. Thus there are two messages per edge (i, j) of Gi, one in each 
direction: 



Algorithm 1 

1. Initialization: for each edge (i, j) G Gi' 



Mij = Ilp.np^-(l). 



(15) 



2. Chaotic iteration: until stabilization, select an edge {i,j) G Gi, and update: 



M^,J := n 



PiHPi 



(Ci A AfceN(i)\j 



(16) 



3. Termination: for each i G I, set: 



Ct = C, A 



A 



feeN(i) ■^k,i 



(17) 



The following result belongs to the folklore of smoothing theory in statistics 
and control. It was recently revitalised in the area of so-called “soft” coding 
theory. In both cases, the result is stated in the context of distributed constrained 
optimization. In its present form, it has been proved in [13] and uses only the 
abstract setting of Sect. 6.1 with properties (a0-a5): 

Theorem 2 ([13]). Assume that Gi is a tree. Then Algorithm 1 converges in 
finitely many iterations, and C* = Iip^{C). 

An informal argument of why the result is true is illustrated in Fig. 8. Message 
passing, from the leaves to the thick node, is depicted by directed arrows. Thanks 
to (16), each directed arrow cumulates the effect, on its sink node, of the con- 
straints associated with its set of ancestor nodes, where “ancestor” refers to the 
ordering defined by the directed arrows. Now, we provide some elementary cal- 
culation to illustrate this mechanism. Apply Algorithm 1 with the particular 
policy shown in Fig. 8, for selecting the successive branches of Gi- Referring to 
this figure, select concurrently the branches (9, 5) and (8, 5), and then select the 
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8 



Fig. 8. Illustrating why Algorithm 1 performs well when Qi is a tree. Messages are 
generated first at the leaves. They meet at some arbitrarily selected node — the “center” , 
here depicted in thick. Then they travel backward to the leaves. 



branch (5,3). Then, successive applications of formula (16) yield: 



M 



(9.5) 



= n 



PgOPs 



(Cg A AfceN(9)\5 



= np,np,(C9) (since N(9) \ 5 = 0) 

■Ad (8.5) = npgnPs(C8) 

■Ad(5,3) = IIp5nP3(C5 A -Ad(9_5) A Ad(s.5)) 

= Ilp^nPa (C5 A Cg A Cs) 



(18) 



The calculations can be further continued. They clearly yield the theorem for 
the center node t = 0, for the particular case where the branches are selected 
according to the policy shown in Fig. 8. A back-propagation to the leaves yields 
the result for all nodes. In this explanation, the messages were partially ordered, 
from the leaves to the thick node, and then vice-versa. Due to the monotonic 
nature of the algorithm, a chaotic and concurrent emission of the messages yields 
the same result, possibly at the price of exchanging a larger number of messages. 
Here is a formal proof borrowed from [13], we omit details. 



Proof. Write C < C' iff C = C' A C" for some C". Using this notation, note that 
(16) is monotonic in the following sense: if Vfc : Adfc.i < AdJ. ^ in the right hand 
side of (16), then Mij < -Ad'^ in the left hand side of (16). Next, mark Mij in 
formula (16) with a running subset Jij C I, initialized with Jij = 0: 



■Adi.g np-nPj (Ci A AfceN( 

Ji,j ■= Ji,j U {A *d [U 






JfcGN(i)\i 






(19) 



Then, by using properties (a0-a5) and the monotonicity of (16), we get (left as 
an exercise to the reader): 

■Adi.j = nPiOPj (^/\keJij ■ (2®) 

Hint: compare with (18). Verify that the assumption that Qi is a tree is used for 
applying repeatedly axiom (a3): this assumption guarantees that ^Ck) 

and Cj interact only via Pi D Pj. From (20) the theorem follows easily. O 
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6.2 A Link with Distributed Constrained Optimization 

As announced before, Theorem 2 generalizes to distributed constrained opti- 
mization. For this case, C becomes a pair C =(constraint, cost)=def (C, J). Con- 
straints are as before, and costs have the following additive form: 

( 21 ) 

peP 

where Xp € dom{p), the domain of variable p, x = (xp)pgp, and the local costs 
jp are real-valued, nonnegative cost functions. We require that J be normalized: 

^ exp(J(x)) = 1, (22) 

x\=C 



where a; ^ C means that x satisfies constraint C, and exp(.) denotes the expo- 
nential. In the following, the notation Cst will denote generically a normalization 
factor whose role is to ensure condition (22). Then, define: 

nQ(J)(a:Q) =def ^max J(a;), (23) 

x:\\.q{x)—xq 

In (23), IlQ(a;) denotes the projection of x on Q. Then, define IIq(C) to be 
the projection of constraint C on Q, i.e., the elimination from C, by existential 
quantification, of the variables not belonging to Q. Finally, define IIq(C) =def 
(IIq(C), IIq(J)). Next, we define the composition A. To this end, take for C 1 AC 2 
the conjunction of the considered constraints. And define: 

(JiAJ2)(a:)=def ^(Ji(np,(x))+J2(np,(a:))). (24) 

It is easily checked that the properties (a0-a5) are still satisfied. Thus, Algorithm 
1 solves, in a distributed way, the following problem: 

max J(x), (25) 

x\—C 

for the case in which C =def (C, J) decomposes as C = 

Problem (25) can also be interpreted as maximum likelihood constraint sol- 
ving, to resolve nondeterminism. In this case, the cost function J is interpreted 
as the logarithm of the likelihood (loglikelihood) — whence the normalization 
constraint (22). Then, the additive decomposition (21) for the loglikelihood me- 
ans that the different variables are considered independent with respect to their 
prior distribution (i.e., when ignoring the constraints). In fact, the so defined 
systems C are Markov random fields, for which Algorithm 1 provides distribu- 
ted maximum likelihood estimation. This viewpoint is closely related to belief 
propagation in belief networks [19, 20, 23]. 
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6.3 Application to Off-Line Distributed Diagnosis 

As said above, our framework of Sects. 4 and 5 satisfies properties (a0-a5). 
We can therefore apply algorithm 1 to perform off-line diagnosis, i.e., compute 
nPi(C^x-p), cf. (13), for A being fixed. Now, we need an initial guess C* satisfying 
(14), i.e., in our case: said, C^^xPi is not a suitable initial 

guess, since C^xP A /\iei^AixVi - Thus we need to find another one. Of course, 
we want this initial guess to be “cheap to compute”, meaning at least that 
its computation is purely local and does not involve any cooperation between 
supervisors. 

This is by no means a trivial task in general. However, in our running exam- 
ple, we can simply complement Vi by a new path (3) —>■[]—>■ (7), and V 2 by a 
path (7) — >■ 0 (3)) and the reader can check that (14) is satisfied by taking 

Ci =def where Pi,i = 1,2 denote the above introduced completions. In 

fact, this trick works for pairs of nets having a simple interaction involving only 
one pair of complementary places. It is not clear how to generalize this to more 
complex cases — fortunately, this difficulty disappears for the on-line algorithm, 
which is our very objective. 

Anyway, having a correct initial guess at hand. Algorithm 1 applies, and 
yields the desired high-level orchestration for off-line distributed diagnosis. Each 
primitive operation of this orchestration is either a projection or a composition. 
For both, we have given the detailed definition above. All primitives are local to 
each site, i.e., involve only its private labels. 

Again, since only properties (a0-a5) are required by Algorithm 1, we can 
also address the maximum likelihood extension discussed before (see [4, 17] for 
issues of randomizing Petri nets with a full concurrency semantics). This is the 
problem of maximum likelihood diagnosis that our prototype software solved, in 
the context described in Sect. 2. 



6.4 An On-Line Variant of the Abstract Setting 

Handling on-line diagnosis amounts to extending the results of Sect. 6.1 to “time- 
varying” structures in a certain sense [14]. We shall now complement the set of 
abstract properties (a0-a5) to prepare for the on-line case. Equip the set of 
condition structures with the following partial order: 

C' C C iff C is a prefix of C', (26) 

please note the inversion! To emphasize the analogy with constraint solving, 
C' C C reads: C refines C. Note that 

C' C C holds in particular if : C' = = C^x-Pi-T C A! , (27) 

this is the situation encountered in incremental diagnosis. The following result 
complements Theorem 1: 
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Theorem 3. The following properties hold: 

C E 1 (a6) 

Cl E C2 ^ Cl A C3 E C2 A C3 (a7) 

c' E C ^ vg : ng(c') e ng(c) (aS) 

Distributed Constraint Solving with Monotonically Varying Con- 
straints. Consider again our re-interpretation as distributed constraint solving. 
Now, instead of constraint C^ being given once and for all, we are given a set of 

constraints C^ ordered by E- More precisely, for C^,C' € Ci, write Ci E C' iff 

Ci C', i.e., the former refines the latter. We assume that C^ is a lattice, i.e., 
that the supremum of two constraints exists in C^. Since all domains are finite, 
then Cf° = limc(Ci) is well defined. Algorithm 1 is then modified as follows, 
[14]: 

Algorithm 2 

1. Initialization: for each edge (t, j) G Qi'. 

Atij = Ilp.np^-(l). (28) 

2. Chaotic nonterminating iteration: Choose nondeterministically, in the follo- 
wing steps: 

CASE 1: select a node t G / and update: 

read Cf ™ E and update C[‘^’' := C"™- (29) 

CASE 2: select an edge (i, j) G Qi, and update: 

A4ij := A [AfceN(i)\j ■ (30) 

CASE 3: Update subsystems: select z G /, and set: 

^ lAfceN(i) (31) 

In step 2, C'^^'' denotes the current estimated value for Cp whereas C"™ denotes 
the new, refined, version. Algorithm 2 is fairly executed if it is applied in such 
a way that every node i of CASE 1 and CASE 3, and every edge (i,j) of CASE 2 
is selected infinitely many times. 

Theorem 4 ([14]). Assume that Gi is a tree, and Algorithm 2 is fairly exe- 
cuted. Then, for any given C = where Ci G Cj, after sufficiently many 

iterations, one has Vz G / : C* E np^C). 

Theorem 4 expresses that, modulo a fairness assumption. Algorithm 2 refines, 
with some delay, the solution IIpAC) of any given intermediate problem C. 

Proof. It refines the proof of Theorem 2. The monotonicity argument applies 
here with the special order E- Due to our fairness assumption, after sufficiently 
many iterations, each node z has updated its in such a way that E Ci. 
Select such a status of Algorithm 2, and then start marking the recursion (30) 
as in (19). Applying the same reasoning as for the proof of Theorem 2 yields 
that Mij E np;nPj (AfceJi 3 which Theorem 4 follows. O 

How Algorithms 1 and 2 behave when Qj possesses cycles is discussed in [1, 15]. 
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Application to On-Line Distributed Diagnosis. Here we consider the case 
in which a possibly infinite alarm pattern is observed incrementally: A°° = 
llig/ meaning that sensor i receives only finite prefixes Ai E partially 
ordered by inclusion. Now, by (27): 

Vz G / : A' E A, Ci = E = c'. (32) 

Thus on-line distributed diagnosis amounts to generalizing Algorithm 1 to the 
case in which subsystems Ci are updated on-line while the chaotic algorithm is 
running. Theorem 4 expresses that, if applied in a fair manner, then Algorithm 
2 explains any finite alarm pattern after sufficiently many iterations. 

For the off-line case, we mentioned that obtaining an “initial guess” for the Ci 
was a difficult issue. Now, since Algorithm 2 progresses incrementally, the issue 
is to compute the increment from to C"®™ in a “cheap” way. As detailed in 
[1], this can be performed locally, provided that the increment from to A"®™ 
is small enough. 

Back to Our Running Example. Here we only relate the different steps of Al- 
gorithm 2 to the Fig. 6. Initialization is performed by starting from empty un- 
foldings on both supervisors. CASE 1 of step (a) consists, e.g., for supervisor 1, 
in recording the first alarm (3 (A®®'^ = 0 and A"™ = {/3}), and then explaining 
l3 by the net (1) — >■ /3 — >■ (2) U (1,7) — >■ /3 — >■ (2,3). CASE 2 of step (a) con- 
sists, e.g., for supervisor 1, in computing the abstraction of this net, for use by 
supervisor 2, this is shown by the first thick dashed arrow. Step (b), e.g., con- 
sists, for supervisor 2, in receiving the above abstraction and using it to append 
(3,4) — >■ a — >■ (7,5) as an additional explanation for its first alarm a; another 
explanation is the purely local one (4) — >■ a — >■ (6), which does not require the 
cooperation of supervisor 1. 



7 Conclusion 

For the context of fault management in SDH/SONET telecommunications net- 
works, a prototype software implementing the method was developed in our 
laboratory, using Java threads to emulate concurrency. This software was sub- 
sequently deployed at Alcatel on a truly distributed experimental management 
platform. No modification was necessary to perform this deployment. 

To ensure that the deployed application be autonomous in terms of synchro- 
nization and control, we have relied on techniques from true concurrency. The 
overall distributed orchestration of the application also required techniques ori- 
ginating from totally different areas related to statistics and information theory, 
namely belief propagation and distributed algorithms on graphical models. Only 
by blending those two orthogonal domains was it possible to solve our problem, 
and our work is a contribution in both domains. 

Regarding concurrency theory, we have introduced a new compositional 
theory of modular event (or condition) structures. These objects form a category 
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equipped with its morphisms, with a projection and two composition operati- 
ons; it provides the adequate framework to support the distributed construction 
of unfoldings or event structures. It opens the way to using unfoldings or event 
structures as core data structures for distributed and asynchronous applications. 

Regarding belief propagation, the work reported here presents an axiomatic 
form not known before. Also, time- varying extensions are proposed. This ab- 
stract framework allowed us to address distributed diagnosis, both off-line and 
on-line, and to derive types of algorithms not envisioned before in the field of 
graphical algorithms. 

The application area which drives our research raises a number of additional 
issues for further investigation. Getting the model (the net V) is the major one: 
building the model manually is simply not acceptable. We are developing appro- 
priate software and models for a small number of generic management objects. 
These have to be instanciated on the fly at network discovery, by the manage- 
ment platform. This is a research topic in itself. From the theoretical point of 
view, the biggest challenge is to extend our techniques to dynamically changing 
systems. This is the subject of future research. Various robustness issues need to 
be considered: messages or alarms can be lost, the model can be approximate, 
etc. Probabilistic aspects are also of interest, to resolve nondeterminism by per- 
forming maximum likelihood diagnosis. The papers [4, 17] propose two possible 
mathematical frameworks for this, and a third one is in preparation. 
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Abstract. We apply the theory of asynchronous automata to the syn- 
thesis problem of closed distributed systems. We use safe asynchronous 
automata as implementation model, and characterise the languages they 
accept. We analyze the complexity of the synthesis problem in our fra- 
mework. Theorems by Zielonka and Morin are then used to develop and 
implement a synthesis algorithm. Finally, we apply the developed algo- 
rithms to the classic problem of mutual exclusion. 



1 Introduction 

We address the problem of automatically synthesising a finite-state, closed distri- 
buted system from a given specification. Seminal papers in this area are [EC82, 
MW84], where synthesis algorithms from temporal logic specifications are de- 
veloped. The algorithms are based on tableau procedures for the satisfiability 
problem of CTL and LTL. 

These approaches suffer from the limitation that the synthesis algorithms 
produce a sequential process P, and not a distributed implementation, i.e., a 
tuple (Pi, . . . , Pn) of communicating processes. The solution suggested in these 
works is to first synthesise the sequential solution, and then decompose it. Howe- 
ver, since distribution aspects like concurrency and independency of events are 
not part of the CTL or LTL specification (and cannot be, since they are not bisi- 
mulation invariant), the solution may be impossible to distribute while keeping 
the intended concurrency. (This is in fact what happens with the solutions of 
[EC82,MW84] to the mutual exclusion problem) 

A better approach to the problem consists in formally specifying not only 
the properties the system should satisfy, but also its architecture (how many 
components, and how they communicate). This approach was studied in [PR89] 
for open systems, in which the environment is an adversary of the system com- 
ponents, and the question is whether the system has a strategy that guarantees 
the specification against all possible behaviours of the environment. The realiza- 
tion problem (given the properties and the architecture, decide if there exists an 
implementation) was shown to be undecidable for arbitrary architectures, and 
decidable but non-element ary for hierarchical architectures vs. LTL specificati- 
ons. Recent work [KVOl] extends the decidability result (and the upper bound) 
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to CTL* specifications and linear architectures. To the best of our knowledge the 
synthesis procedures have not been implemented or tested on small examples. 

In this paper we study the realization problem for the simpler case of closed 
systems, the original class of systems considered in [EC82,MW84]. This pro- 
blem has been studied with unlabelled Petri nets (see e.g. [BD98]) and product 
transition systems (see [CMT99] and the references therein) as notions of imple- 
mentation. In this paper, we attack the problem using asynchronous automata 
[Zie87,DR95]. Asynchronous automata can be seen as a tuple of concurrent pro- 
cesses communicating in a certain way (or as 1-safe labelled Petri nets). In our 
approach, a specification consists of two parts: a regular language L over an 
alphabet S of actions, containing all the finite executions that the synthesised 
system should be able to execute, and a tuple {Ei, . . . , Sn) of local alphabets 
indicating the actions in which the processes to be synthesised are involved; an 
action can be executed only if all processes involved in it are willing to execute 
it. The synthesis problem consists of producing a so-called safe asynchronous au- 
tomaton whose associated processes have {Ei , . . . , En) as alphabets, and whose 
language is included in L (together with some other conditions to remove trivial 
solutions). The main advantage of our approach with respect to those of [BD98, 
CMT99] is its generality: Unlabelled Petri nets and product transition systems 
can be seen as strict subclasses of safe asynchronous automata. 

The first two contributions of the paper are of theoretical nature. The first 
one is a refinement of Zielonka’s theorem [Zie87], a celebrated central result of 
the theory of Mazurkiewicz traces. The refinement characterises the languages 
recognised by safe asynchronous automata, which we call implementable langu- 
ages. (This result was also announced in [Muk02] without proof.) This result 
allows to divide the synthesis problem into two parts: (1) given a specification 
L, {El , . . . , En), decide if there exists an implementable language L' C L, and 
(2) given a such L', obtain a safe asynchronous automaton with L' as language. 
In the second contribution, we find that part (I) is undecidable, therefore we re- 
strict our attention to an NP-complete subclass of solutions for which reasonable 
heuristics can be developed. 

The third and main contribution of the paper is the development of heuri- 
stics to solve (1) and (2) in practice, their application to the mutual exclusion 
problem, and the evaluation of the results. The heuristic for (2) uses a result by 
Morin [Mor98] to speed up the synthesis procedure given by Zielonka in [Zie87]. 
Our heuristics synthesise two (maybe not ‘elegant’ but) new and far more reali- 
stic shared- variables solutions to the mutex problem than those of [EC82,MW84] 
(the results of [PR89], being for open systems and very generally applicable, did 
not provide any better automatically generated solution to the mutual exclusion 
problem). We make good use of the larger expressivity of asynchronous auto- 
mata compared to unlabelled Petri nets and product transition systems: The 
first solution cannot be synthesised using Petri nets, and the second - the most 
realistic - cannot be synthesised using Petri nets or product transition systems. 

The paper is structured as follows. Section 2 introduces asynchronous au- 
tomata and Zielonka’s theorem. In Sect. 3 we present the characterisation of 
implementable languages. Section 4 describes the synthesis problem together 
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with heuristics for the construction of a solution and discusses complexity is- 
sues. Section 5 shows the synthesis procedure at work on the mutual exclusion 
problem. All the proofs can be found in [SEM03]. 

2 Preliminaries 

We start with some definitions and notations about automata and regular lan- 
guages. A finite automaton is a five tuple A = {Q, E, S, I, F) where Q is a finite 
set of states, if is a finite alphabet of actions, I, F C Q are sets of initial and 
final states, respectively, and SCQxExQis the transition relation. We write 
q q' to denote {q, a, q') G <5. The language recognised by A is defined as usual. 
A language is regular it it is recognised by some finite automaton. Given a langu- 
age L, its prefix closure is the language containing all words of L together with 
all their prefixes. A language L is prefix-closed if it is equal to its prefix closure. 
Given two languages Li,L2 Q S* , we define their shuffle as shuffle(Li, T 2 ) := 
{U1V1U2V2 ■ ■ ■ UkVk \ k > l,ui . . .Uk & Li,vi . . .Vk & L2 and Ui, vi G S*}. 

We recall that regular languages are closed under boolean operations, that 
the prefix-closure of a regular language is regular, and that the shuffle of two 
regular languages is regular. 



2.1 Asynchronous Automata 

Let if be a nonempty, finite alphabet of actions, and let Proc be a nonempty, 
finite set of process labels. A distribution of if over Proc is a function A: Proc — >■ 
2^\0. Intuitively, A assigns to each process the set of actions it is involved in, 
which are the actions that cannot be executed without the process participating 
in it. It is often more convenient to represent a distribution by the domain fun- 
ction dom : if — >■ that assigns to each action the processes that execute 

it. We call the pair (if, dom) a distributed alphabet. A distribution induces an in- 
dependence relation ||: if x if as follows: Va, 6 G if : a||6 dom{a) fl dom{b) = 0. 
I.e., two actions are independent if no process is involved in both. The intuition 
is that independent actions may occur concurrently. 

An asynchronous automaton over a distributed alphabet is a finite automaton 
that can be distributed into communicating local automata. The states of the 
automaton are tuples of local states of the local automata. 

Definition 1 . An asynchronous automaton AA over a distributed alphabet 
(if, dom) is a finite automaton (Q, if, S, I, F) such that there exist 

— a family of sets of local states {Qk)keProc, and 

— a relation Sa C Uk&dom{a) Qk x Uk&domia) Qk for each action a G if 
satisfying the following properties: 

— Q F H/ce Proc Qkj with I,F C Q initial and final states, and 
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E = {a,b}, Proc = {1,2} 
dom{a) = {1}, dom{b) = {2} 

Qi = {<70,<Jl}, Q2 = {(?0i9i} 

= {(<Jo,<7i)}, 4 = {(<7o,<j{)} 

I = {{qo,q'o)},F = {{qo,q'o), {qi,q'o), {qo,q'i)} 



Fig. 1. An asynchronons automaton together with its formal description 



- A ^ ^ rfom(a) ■■qk = qk 

’ ’ \{{qk)k€dom{a),{q'k)k€dom(a)) ^ Sa 

where qk denotes the fc-th component of q, and {qk)k<^dom,(a) denotes the 
projection of q onto dom{a). 

The language recognised by an asynchronous automaton is the language it re- 
cognises as a finite automaton. If all 5a s, are functions and I contains only one 
element, then AA is called deterministic. 

Figure 1 shows an asynchronous automaton. Intuitively, each set Qk repre- 
sents the set of states of a sequential component. Whether there is an a-transition 
between two states depends only on the projections of the states onto dom{a), 
the local states of the other components are irrelevant; moreover the execution of 
a only changes the local state of the processes in dom{a). In particular, if there 
is an a-transition between two global states qi,q2, then there must also be a- 
transitions between any states gj, q'2 such that the projections of qi^q'i and q2, q'2 
on dom{a) coincide. It is easy to see that, as a consequence, every asynchronous 
automaton satisfies the independent and forward diamond rules: 

- ID : gi 92 94 A a\\b 3qs : 91 -A 93 -A 94 

- FD : 9i A 92 A 9i -)> 93 A a||6 ^ 394 : 92 -f 94 A 93 A 94. 

Finally, observe that the accepting conditions of asynchronous automata are 
global: We need to know the local states of all the processes in order to determine 
if the tuple of local states is a final state. 



2.2 Zielonka’s Theorem 

Zielonka’s theorem characterises the languages accepted by asynchronous auto- 
mata. Given a distributed alphabet (if, dom), we say that L C if* is a trace 
language if L is closed under the independence relation || associated to dom: 

Va, & G if and Vw, w' € S* : wabw' € A A a||6 wbaw' G L. 

Theorem 1. [Zie87] Let (if, dom) be a distributed alphabet, and let L C E* . L 
is recognised by a finite asynchronous automaton with distribution dom if and 
only if it is a regular trace language. Moreover, if L is recognised by an asyn- 
chronous automaton, then it is also recognised by a deterministic asynchronous 
automaton. 
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The proof of the theorem is constructive. Zielonka defines an effectively com- 
putable equivalence relation S* x S* of finite index. The definition of 
can be found in [Zie87] . Now, let be the infinite automaton having L as set of 
states, and w A wa as transitions. The asynchronous automaton of Theorem 1 
is the quotient of under The size of the automaton is single exponential 
in the size of the minimal deterministic automaton recognising L, and double 
exponential in the size of Proc. 

The following shows that in order to decide if a language is a regular trace 
language, it suffices to compute the minimal automaton recognising it, and check 
if it satisfies ID. 

Proposition 1. Let {S, dom) he a distributed alphabet, and let L C S* regular. 
The following conditions are equivalent: 

1. L is a regular trace language; 

2. the minimal deterministic finite automaton recognising L satisfies ID. 

3 Implementable Specifications 

As mentioned in the introduction, we use regular languages as specification of 
the set of global behaviours of a distributed system, where a behaviour is a finite 
sequence of actions. In this setting, asynchronous automata are not a realistic 
implementation model. The reason is best explained by means of an example. 
Let S = {a, 6} and dom{a) = {!}, dom{h) = {2}, and consider the language 
L = {e,a,b}. Intuitively, {L,dom) cannot be implemented: Since L contains 
both a and b, and a and b are executed independently of each other, nothing can 
prevent an implementation from executing ab and ba as well, which do not belong 
to L. However, the asynchronous automaton of Fig. 1 recognises L. The reason 
is that we can choose the global final states as {(0, 0), (1, 0), (0, 1)}, excluding 
(1, 1). (Notice that if we remove (1, 1) from the set of states the automaton is no 
longer asynchronous, because it does not satisfy FD.) In our context, in which 
runs of the automaton should represent behaviours of a distributed system, this 
is not acceptable: We cannot declare a posteriori that a sequence of actions we 
have observed is not a behaviour because the state it reaches as non-final. 

This example shows that we have to restrict our attention to asynchronous 
automata in which all states reachable from the initial states are final. We call 
such automata safe^. 

As we mentioned in the introduction, the synthesis of closed distributed sy- 
stems has been studied before using unlabelled Petri nets [BD98] and product 
transition systems [Mor98,CMT99] as implementation models. Both models can 
be seen as subclasses of safe asynchronous automata in which, for each action 
a, the relation Sa satisfies an additional condition. In the case of Petri nets, 6a 

^ Safe (asynchronous) automata were studied by Zielonka in [Zie89] . Safe there means 
something weaker: All reachable states are co-reachable (i.e. there is a path from 
that state to a final one). However, the difference between the two definitions of safe 
vanishes when the recognised language is prefix-closed. 
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must contain at most one element. In the case of product transition systems, Sa 
must have a product form: There must be a family of relations C x 

such that (5a = rifeep^c <^a- 

In the rest of this section we obtain the equivalent of Theorem 1 and Propo- 
sition 1 for safe asynchronous automata. 

Definition 2. A regular trace language L C S* is called implementable if it 
satisfies: 

— prefix-closedness: Vic, w', w" € S* : w = w'w" G L ^ w' G L 

— safe-branching^: Vic G S* : wa G L A wb G L A a\\b ^ wab G L. 



Theorem 2. Let {E, dom) be a distributed alphabet, and let L C S* . L is re- 
cognised by a finite safe asynchronous automaton with distribution dom if and 
only if it is an implementable trace language. Moreover, if L is recognised by a 
safe asynchronous automaton, then it is also recognised by a safe deterministic 
asynchronous automaton. 

A proof is given in [SEM03] and a constructive one follows from Proposition 3. 

Proposition 2. Let {E, dom) be a distributed alphabet, and let L C E* regular. 
The following conditions are equivalent: 

1. L is an implementable language; 

2. the minimal deterministic finite automaton recognising L is safe and satisfies 
ID and FD. 

This result provides an inexpensive test to check if a specification (L, dom) 
is implementable: Compute the minimal automaton recognising L and check if 
it satisfies ID and FD and if all its states are final. These checks have linear 
time complexity in the size of the minimal automaton and in the size of the 
independence relation generated by dom. 

Remark 1. Testing whether a specification is implementable is PSPACE-com- 
plete, when the input is a regular expression or a non-deterministic automaton 
(it can be easily shown that both checking ID and FD are PSPACE-complete). 

It is not difficult to show that implementable languages are a proper superset 
of the Petri net languages and the languages of product transition systems (see 
[Zie87]). As we will see in Sect. 5.1, this is the fact that will allow us to derive 
implementations in our case studies. 



4 The Synthesis Problem 

In our setting, the synthesis problem is: Given a distributed alphabet {E, dom) 
and a regular language Lspec, represented as a deterministic finite automa- 
ton Aspec, is there a safe asynchronous automaton AA such that L{AA) C 

^ In [Maz87] the property of safe-branching is called properness. 
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L{Aspec)‘^ In addition, we require that all the actions in E appear in L{AA), 
because we are not interested in trivial solutions like L{AA) = 0 or partial solu- 
tions in which only some of the processes are executing actions. By definition, for 
a given language L, let E{L) := {a £ E \ 3u,v G S* with uav G L} denote the 
actions appearing in L. Then, the set of actions appearing in an (asynchronous) 
automaton A is just E{A) := E{L{A)). We are now able to formulate: 

Problem 1. (Synthesis problem) Given a distributed alphabet {E, dom) and a 
deterministic finite automaton Aspec such that E{Aspec) = E, is there a safe 
asynchronous automaton AA such that L{AA) C L{Aspec) and E{AA) = El 

Theorem 3. The synthesis problem is undecidable. 

Because of the undecidability of synthesis problem stated in Theorem 3, we 
attack a more modest but ‘only’ NP-complete problem, for which, as we can 
see, we can develop reasonable heuristics. This requires to introduce the notion 
of a subautomaton. We say that A' = {Q' , E' , 5' , I' , F') is a subautomaton of 
A = (g, A", (5, 1, F) if Q' CQ, E' C E, F C I, F' C F and S' C S. 

In the subautomata synthesis problem we search for the language of AA only 
among the languages of the subautomata of Aspec- More precisely, we examine 
the languages of the subautomata, which are obviously included in L{Aspec), 
and determine if some of them is the language of an asynchronous automaton. 
Since the languages of safe asynchronous automata are those implementable, 
what we in fact do is to consider the following problem: 

Problem 2. (Subautomata synthesis) Given a distributed alphabet {E, dom) and 
a deterministic finite automaton Aspec such that E{Aspec) = SJ, is there a safe 
subautomaton A' of Aspec with E(A') = E satisfying ID and FD? 

A positive solution to an instance of this problem implies a positive solution 
to the same instance of the synthesis problem. 

Theorem 4. The subautomata synthesis problem is NP-complete. 

Let us now summarize our approach: 

1. Ghoose the set of actions E of the system and a distribution A. 

2. Describe the ‘good’ behaviours of the system as a regular language Lspec- 
Usually, we give Lspec as a base language (e.g. a shuffle of local behaviours), 
from which we filter out undesired behaviours (e.g. behaviours that lead to 
two processes in a critical section) . 

3. Gonstruct A (usually, the minimal deterministic finite automaton) satisfying 
F{A) — Lspec- 

4. Find a safe subautomaton A' of A with E{A') = E satisfying ID and FD. 
(see Sect. 4.1) 

5. Apply Theorem 2 to obtain a safe asynchronous automaton AA satisfying 
L{AA) = L{A'). ^ (see Sect. 4.2) 

^ Note that we can apply Theorem 2, because the language of a safe automaton satis- 
fying ID and FD is implementable. 
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4.1 Constructing a Subautomaton 

Given an automaton A, finding a safe subautomaton A' satisfying S{A') = S, 
ID, and FD is NP-complete, so in the worst case this is exponentially expensive. 
In our experiments, we found two natural heuristics helpful in this problem: 

1. [destructive] Starting with the initial automaton A, we remove states and 

transitions that prevent the properties of safety, ID and FD to hold. So, if 
we have non-final states, we remove them; if we have a conflict w.r.t. FD 
(e.g., dgi Q 2 and 3qi with a\\b, but there exists no state 54 such that 
3q2 94 and 3qs A ( 74 ), we remove one of the transition involved in the 

conflict (e.g., removing qi A (73 will solve the conflict); something similar for 
ID. In the process of removal we want to preserve S{A') = S. 

2. [constructive] Starting with the empty subautomaton, we add states and 
transitions until we find a safe subautomaton A' satisfying ID and FD. We 
apply a breadth-first traversal together with a ’greedy strategy’ which selects 
transitions labelled by new action names and we do not add transitions 
violating the ID and FD rules and we do not add non-final states. 

In both of the above strategies, we stop when we find a subautomaton sa- 
tisfying our properties. Therefore, in general, the first heuristic will produce a 
larger solution than the second one. Larger solutions represent more behaviours, 
so better implementations for our synthesis problem. Unfortunately, this large 
subautomaton will serve as an input for Zielonka’s procedure and this may blow- 
up the state space of the solution. That is why the second heuristic is usually 
preferred and the experimental results in Sect. 5.2 witness this fact. 

4.2 Constructing an Asynchronous Automaton 

The proof of Zielonka’s theorem provides an algorithm to automatically derive 
an asynchronous automaton from an implementable language L (obtained as in 
the previous subsection). We start by giving here a version of the algorithm. The 
version is tailored so that we can easily add a heuristic that we describe in the 
second half of the section. Loosely speaking, the algorithm proceeds by unfol- 
ding the minimal deterministic automaton recognising L until an asynchronous 
automaton is obtained. 

Data structure The algorithm maintains a deterministic reachable automaton 
A in which all states are final. The transitions of A are coloured green, red, or 
black. The algorithm keeps the following invariants: 

1. The automaton A is deterministic and recognises L. 

2 . Green transitions form a directed spanning-tree of A, i.e., a directed tree 
with the initial state go as root and containing all states of A. 

3. Let W{q) be the unique word w such that there is a path go 9 in the 

spanning-tree. For any q ^ q' we have W{q) W{q'). (Notice that if a 

transition g A g' is green, then W{q) ■ a = W{q').) 

4. A transition g A g' is red if IU(g) - a kF(g'). 
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5. All other transitions are black. 

Initially, A is the minimal deterministic finite automaton = {Qo, AJ, (5q, (?o, Qo) 
recognising the implementable language L. The set of green transitions can be 
computed by means of well-known algorithms. The other colours are computed 
to satisfy the invariants. 

Algorithm If the current automaton has no red transitions, then the algorithm 
stops. Otherwise, it chooses a red transition q q', and proceeds as follows: 

a. Deletes the transition q q' . 

b. If there is a state q" such that W{q) ■ a W{q") then the algorithm adds 
a black transition g q" . 

c. Otherwise, the algorithm 

cl. creates a new (final) state r, 

c2. adds a new green transition q r (and so IT(r) :=W{q) ■ a), and 
c3. for every transition q' q" , adds a new transition r \ s with s := 
^oiQo, W{r) ■ b). The new transition is coloured red if W{r) ■ b W{s) 
and black otherwise. 

Proposition 3. The algorithm described above always terminates and its output 
is a safe deterministic finite asynchronous automaton recognising the implemen- 
table language L. 

Unfortunately, as we will see later in one of our case studies, the algorithm can 
produce automata with many more states than necessary. We have implemented 
a heuristic that allows to ‘stop early’ if the automaton synthesised so far happens 
to already be a solution, and otherwise guides the algorithm in the choice of the 
next red transition. 

For this, we need a test that, given a distributed alphabet (U, dom) and an 
automaton A, checks if A is an asynchronous automaton with respect to dom 
(i.e., checks the existence of the sets Qk and the relations da). Moreover, if A 
is not asynchronous, the test should produce a “witness” transition of this fact. 
Fortunately, Morin provides in [Mor98] precisely such a test: 

Theorem 5. [Mor98] Let A be a deterministic automaton and dom be a distri- 
bution. There is the least family of equivalences {=k)keProc over the states of A 
such that (below we denote by q =dom{a) q' if'^k € dom{a) : q =k q' ) 

DEi.- q q' A k ^ dom{a) ^ q=k q' 

DEa.- qi 4 q[ A 92 4 ga A gi =do-m(a) d2 q[ =dom(a) q '2 
Moreover A is an asynchronous automaton over dom iff the next two conditions 
hold for any states q,q' and any action a: 

DSi.- (V/c G Proc : qi =k 92 ) ^ 9i = 92 

082 .' {3q'i : 9 i — >■ 92 A 9 i =dom{a) Q 2 ) ^q '2 ■ Q 2 ^ q '2 

It is not difficult to show that the least equivalences {=k)keProc can be com- 
puted in polynomial time by means of a fixpoint algorithm, and so Theorem 5 
provides a polynomial test to check if A is asynchronous. 
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Because we are interested only in an asynchronous automaton accepting the 
same language as the initial automaton, a weaker version of Theorem 5 suffices: 
If the least family of equivalences satisfying DEi and DE2 also satisfies DS2 (but 
not necessarily DSi), there exists an asynchronous automaton recognising the 
same language as A. 

Notice that if A passes the test then we can easily derive the sets Qk of local 
states and the Sa’s functions for every action a: Qk contains the equivalence 
classes of =k] given two classes q, q', we have {q, q') G 5 a iff A contains an a- 
transition between some representatives of q,q'. We remark for later use in our 
case studies that the proof of [Mor 98 ] proves in fact something stronger than 
Theorem 5 : Any equivalence satisfying DEi, DE2, and DS2 can be used to obtain 
an asynchronous automaton language-equivalent with A. The least family is easy 
to compute, but it yields an implementation in which the sets Qk are too large. 

If A does not pass the test (this implies a red transition involved in the 
failure), the heuristic will propose a red transition to be processed by the al- 
gorithm. We find this transition by applying Morin’s test to the subautomaton 
Ag^b containing only the green and black transitions of A. There are two cases: 
( 1 ) the test fails and then we can prove that there is a red edge involved in the 
failure of DS2 on 3 qi q[ green or black and qi =tL(a) ® and 3^2 4 g' 

red or ( 2 ) the test is successful and then we iteratively add red transitions to the 
subautomaton AgSzb until DS2 is violated. In either case, we find a red transition 
as a candidate for the unfolding algorithm. 

5 Case Study: Mutual Exclusion 

A mutual exclusion {mutex for short) situation appears when two or more pro- 
cesses are trying to access for ‘private’ use a common resource. A distributed 
solution to the mutex problem is a collection of programs, one for each process, 
such that their concurrent execution satisfies three properties: mutual exclusion 
(it is never the case that two processes have simultaneous access to the resource), 
absence of starvation (if a process requests access to the resource, the request is 
eventually granted), and deadlock freedom. 

We consider first the problem for two processes. Let the actions be 

S := {reqi, enteri, exiti, req2, enter2, exit2} 

with the intended meanings: request access to, enter and exit the critical sec- 
tion giving access to the resource. The indices 1 and 2 specify the process that 
executes the action. 

We fix now a distribution. Obviously, we wish to have two processes Pi,P2 
such that A{Pi) = {req^, enteri, exiti} and A{P2) = {req2, enter2, exit2}- We 
also want reg;^||reg2 so we need at least two extra processes Vi and V2, such that 
Z\(Vi) contains reqi but not req2, and ^{¥2) contains req2 but not reqi- So let: 

A{Vi) = {reqi, enteri, exiti, enter2} and Z\(k^) = {req2, enter2, exit2, enteri}."^ 
We could also add exiti to A(Vi) and exit2 to Z\(V2); the solution does not change. 
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Next, we define a regular language, Mutex i, specifying the desired beha- 
viours of the system. We want Mutexi to be the maximal language satisfying 
the following conditions: 

1. Mutexi is included in the shuffle of prefix-closures of {req^ enter i exit i)* and 
( req 2 enter 2 exit 2 ) * • 

I.e., the processes execute req^ enter i exit i in cyclic order. 

2. Mutexi C E*\ [E* enter i{E\exit\)* enter 2 S*\ and its dual version. 

I.e., a process must exit before the other one can enter. This guarantees 
mutual exclusion. 

3. Mutexi C E*\ [E*reqi{E\enteriY enter 2 {S\enteri)* enter 2 S*\ and dual. 
I.e., after a request by one process the other process can enter the critical 
section at most once. This guarantees absence of starvation. 

4. For any w € Mutexi, there exists an action a € E such that wa € Mutex\. 
This guarantees deadlock freedom. 

Condition 3 needs to be discussed. In our current framework we cannot deal with 
‘proper’ liveness properties, like: If a process requests access to the critical sec- 
tion, then the access will eventually be granted. This is certainly a shortcoming 
of our current framework. In this example, we enforce absence of starvation by 
putting a concrete bound on the number of times a process can enter the critical 
section after a request by the other process. 

The largest language satisfying conditions 1-3 is regular because of the closure 
properties of regular languages, and a minimal automaton recognising it can be 
easily computed. Since it is deadlock-free, it recognises the largest language 
satisfying conditions 1-4. ® 

It turns out that the minimal automaton A\ for Mutexi is safe, satisfies 
ID, FD, and E{Ai) = E. Using Proposition 2 the recognised language is im- 
plementable. This allows us to apply Zielonka’s construction, that yields a safe 
asynchronous automaton with 34 states. Applying our heuristic based on Mo- 
rin’s test we obtain that the minimal automaton recognising Mutex \ and having 
14 states, is already an asynchronous automaton. Families of local states and 
transitions can be constructed using Morin’s theorem. The processes P\ and P 2 
have three local states each, while the processes Vi and V 2 have 7 states. 

We can now ask if the solution can be simplified, i.e., if there is a smaller fa- 
mily of local states making the minimal automaton asynchronous. This amounts 
to finding a larger family {=k)(k£Proc) of equivalences satisfying the properties 
of Theorem 5. This can be done by merging equivalence classes, and checking if 
the resulting equivalences still satisfy the properties. We have implemented this 
procedure and it turns out that there exists another solution in which Vi and V 2 
have only 4 states. Figure 2 (top) shows the resulting asynchronous automaton, 
translated into pseudocode for legibility. There (com) denotes that the command 
com is executed in one single atomic step. We have represented the processes 

® If this had not been the case, the largest automaton would have been obtained by 
removing all states not contained in any infinite path. 
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Initialization: v\ 0; V 2 0 

Process 1 


Process 2 


repeat forever 

[NCSl]; 

v\ 1; 

( await (ni € {1, 3} and V 2 € {0, 1}) then 
(ni 2 and (if V 2 — 1 then V 2 3)) ); 

[CSl]; 
v\ 0 

end repeat 


repeat forever 
[NCS2]; 

V 2 1; 

( await (vi G {0, 1} and V 2 G {1, 3}) then 
((if vi — 1 then vi 3) and V 2 2) ); 

[CS2]; 

V 2 :— 0 

end repeat 


Initialization: vi 0; V 2 ■— 0 




Process 1 


Process 2 


ncsi: [NCSl]; 


ncS 2 - [NCS2]; 


( case (ill = 0): vi 1; goto ei 


( case {v 2 = 0): V 2 := 1; goto 62 


case (m = 2): v\ 1; goto e'l 


case {v 2 = 2): V 2 := 3; goto 62 


case (m = 3): v\ 4; goto e'l ) 


62 '- { await vi € {0, 2,3,4} then 


e\: ( await V 2 € {0, 1} then 


case (di = 0): t>i := 2; goto CS2 


case (v 2 — 0): goto csi 


case {vi = 2): vi := 0; goto CS2 


case (v 2 = 1): goto csi ) 


case (di = 3): t)i := 2; goto CS2 


e'l. ( await V 2 € {2,3} then 


case (di = 4): := 1; goto CS2 ) 


case (v 2 — 2): V 2 0; goto csi 


CS2: [CS2]; 


case (v 2 — 3): V 2 1; goto cs'i ) 


case (t>2 = 1): t)2 := 2; goto ncS 2 


csi: [CSlj; i;i := 0; goto ncsi 
cs'i'. [CSlj; v\ 3; goto ncs\ 


case {v 2 = 3): V 2 := 0; goto ncS 2 



Fig. 2. The two synthesised solutions for Mntex (N=2) 



Vi and V 2 as two variables with range [0,1,2, 3]. ® By construction, the algo- 
rithm satisfies mutual exclusion, absence of starvation, and deadlock freedom. 
Moreover, the two processes can make requests independently of each other. 

Using the results of [BD98] it is easy to show that Mutexi is not a Petri net 
language. However, it is a product language in the sense of [CMT99]. The results 
of [CMT99] also allow to derive the solution of Fig. 2. In this case, asynchronous 
automata do not have an advantage. 



5.1 Mutual Exclusion Revisited 

The mutex algorithm of the previous section requires to update the variables vi 
and V 2 before entering the critical section in one single atomic action, which is 
difficult to implement. Is it possible to obtain a solution that avoids this problem? 
We observe that the problem lies in the distribution we have chosen. We have 
Z\(Vi) n A{V 2 ) = {enteri, enter 2 }, and so both Vi and V 2 are involved in the 
enter actions, which means that the implementation of both enteri and enter 2 
requires to update both of Vi and V 2 in a single atomic action. So we look for a 
different distribution in which A{Vi) fl A(V 2 ) = 0. We take: 

A{Vi) = {reqi, enter 2 , exiti} and A{V 2 ) = {req 2 , enteri, exit 2 }- 

® The pseudocode was derived by hand, but it would be not difficult to automatise 
the process. 
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Unfortunately, Mutex \ is not implement able anymore under this new distri- 
bution. The minimal automaton fails to satisfy FD: There is a state in which 
both enter I and entev 2 are enabled (and enter i\\ enter 2 ), but there is no con- 
verging state to close the diamond. We then apply first heuristic from Sect. 4.1 
and we indeed find a subautomaton satisfying ID and FD, deadlock-free and 
containing all the actions. 

Zielonka’s construction yields a safe asynchronous automaton with 4799 sta- 
tes. Fortunately, our heuristic yields an asynchronous automaton with only 20 
states (see [SEM03]). Once distributed over the four processes of the specifica- 
tion (and merging local states if possible), we obtain the pseudocode shown in 
Fig. 2 (bottom). The variables v\ and V 2 range over [0,1, 2, 3, 4] and [0, 1,2,3] 
respectively. The labels associated with the commands suggest their type, for 
example r\ means a request of the first process and X 2 means an exit from the 
critical section of the second process. Notice that the command corresponding 
to a label is executed atomically and that the program pointers for the two 
components advance only as a result of a goto command. 

The components are now asymmetric, due to the fact that the first heuristic 
’solved’ the FD conflict by removing an enter 2 transition. Yet the algorithm is 
starvation-free: If the second process request access to the critical section, it will 
receive it as soon as possible. 

The language Mutex 2 is neither a Petri net language nor the language of a 
product of transition systems, and so the procedures of [BD98,CMT99] cannot 
be applied. 

5.2 More Processes 

When we consider the mutual exclusion problem for an arbitrary number of 
processes fV > 2, we choose the alphabet E = ^i<i<N{req^, entert, exiti}. There 
exist several distributions of the actions. We choose generalizations of the two 
distribution used for N = 2. For 1 < i < N: 

— Ai{Pi) := {req^, exiti, enteri , . . . , enters} 

- A 2 {Pi) := {reqi, exiti, enteri}, A 2 {Vi) = Ai{Pi)\enter i 

We also generalize the regular specification of the problem. E.g., the mutual 
exclusion property is specified as: S*\\j^^^[E* enter i{E\exiti)* enter jE*]. 

The experiments for N = 2,3,4, 5 are presented in Table 1. In the first 
column, we give the parameters of the problem. In the second column, we give the 
size of the minimal automaton accepting the regular specification together with 
the number of the processors in the distribution. (The tool AMoRE [Amo] was 
used to construct the minimal automata recognising the regular specification.) 
In each of the following columns size represents the global state space of the 
solution (the asynchronous automaton) and time is the computation time given 
in seconds. A dash symbol represents the fact that the system run out of 
memory without finding a solution. The third and fourth columns give the results 
after applying the first and respectively second heuristic in Sect. 4.1, followed by 
Zielonka’s procedure. The fifth and sixth columns give the results after applying 
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Table 1. Experimental results 



Problem 


Input 


Zielonka 1 


Zielonka 2 


Heuristic 1 


Heuristic 2 I 




1-41 |Li| 


size 


time 


size 


time 


size 


time 


size 


time 


Mutex(2,Ai) 


14 


4 


34 <0.01 


23 <0.01 


14 


<0.01 


10 


<0.01 


Mutex(2,A2) 


14 


4 


4799 


5.30 


2834 


2.66 


17 


<0.01 


16 


<0.01 


Mutex(3,Ai) 


107 


6 


- 


- 


- 


- 


107 


<0.01 


30 


<0.01 


Mutex(3,A2) 


107 


6 


- 


- 


- 


- 


- 


- 


58 


0.11 


Mutex(4,Ai) 


1340 


8 


- 


- 


- 


- 


1340 


0.31 


62 


1.25 


Mutex(4,A2) 


1340 


8 


- 


- 


- 


- 


- 


- 


157 


3.83 


Mutex(5,Ai) 


25338 


10 


- 


- 


- 


- 


25338 170.95 


147 1000.76 


Mutex(5,A2) 


25338 


10 


- 


- 


- 


- 






387 1053.79 



the first and respectively second heuristic in Sect. 4.1, followed by the heuristic 
in Sect. 4.2. (The experiments were performed on a machine with 2.4 GHz CPU 
and 1 GB RAM.) 

6 Further Remarks 

We have proposed to apply the theory of asynchronous automata to the pro- 
blem of synthesising closed distributed algorithms. We have observed that the 
right implementation model are safe asynchronous automata, and we have cha- 
racterised their languages. We defined the synthesis problem in our framework 
and proved that it is undecidable, therefore we focused our attention on an NP- 
complete subclass of solutions. We have implemented Zielonka’s algorithm, and 
observed that it leads to large implementations even for natural and relevant 
case studies where much smaller implementations exist. We have derived heuri- 
stics to make the synthesis problem more feasible in practice. We have used the 
heuristics to automatically generate mutual exclusion algorithms. 

Obtaining ‘Elegant’ Solutions: Our solutions to the mutex problem are not 
‘elegant’: They use variables with larger domains than those appearing in the 
literature, and a human finds it difficult to understand why they are correct. 
Notice, however, that this is the case with virtually all computer generated 
outputs, whether they are HTML text, program code, or a computer generated 
proof of a formula in a logic. Our solutions are correct and relatively small. 

Specifying with Temporal Logic: Notice that our approach is compatible with 
giving specifications as LTL temporal logic formulas over finite strings, since 
the language of finite words satisfying a formula is known to be regular, and an 
automaton recognising this language can be effectively computed. 

Dealing with Liveness Properties: Gurrently our approach cannot deal with 
liveness properties. Loosely speaking, ‘eventually’ properties have to be trans- 
formed into properties of the form ‘before this or that happens’. Dealing with 
liveness properties requires to consider the theory of asynchronous automata on 
infinite words, for which not much is known yet (see Ghap. 11 of [DR95]). The 
approaches of [BD98,GMT99] take a transition system as specification, and so 
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do not consider liveness properties either. The approach of [MT02] can deal with 
liveness properties, but it can only synthesise controllers satisfying certain condi- 
tions (clocked controllers). These conditions would not appear in a reformulation 
of our results in a distributed controllers synthesis. 
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Abstract. We introduce the problem of compressing partially ordered 
strings: given string a G S* and a binary independence relation I over 
E, how can we compactly represent an input if the decompressor is allo- 
wed to reconstruct any string that can be obtained from a by repeatedly 
swapping adjacent independent symbols? Such partially ordered strings 
are also known as Mazurkiewicz traces, and naturally model executi- 
ons of concurrent programs. Compression techniques have been applied 
with much success to sequential program traces not only to store them 
compactly but to discover important profiling patterns within them. For 
compression to achieve similar aims for concurrent program traces we 
should exploit the extra freedom provided by the independence relation. 
Many popular string compression schemes are grammar-based schemes 
that produce a small context-free grammar generating uniquely the given 
string. We consider three classes of strategies for compression of partially- 
ordered strings: (i) we adapt grammar-based schemes by rewriting the 
input string a into an “equivalent” one before applying grammar-based 
string compression, (ii) we represent the input by a collection of projec- 
tions before applying (i) to each projection, and (Hi) we combine (i) and 
{ii) with relabeling of symbols. We present some natural algorithms for 
each of these strategies, and present some experimental evidence that 
the extra freedom does enable extra compression. We also prove that 
a strategy of projecting the string onto each pair of dependent symbols 
can indeed lead to exponentially more succinct representations compared 
with only rewriting, and is within a factor of | of the optimal strategy 
for combining projections with rewriting. 



1 Introduction 

Algorithms for text compression view the input as a linearly ordered sequence 
of symbols and try to discover repeating patterns so that the input can be 
represented more compactly. In this paper, we initiate the study of compression 
of partially ordered strings. Given an independence relation over an alphabet, 
two strings are said to be equivalent if one can be obtained from the other by 
repeatedly commuting adjacent independent symbols. An equivalence class of 
such a type is known as a Mazurkiewicz trace in concurrency theory [Maz87, 
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DM97]. The new compression problem is then to compactly represent an input 
string if the decompressor is allowed to output any string that is equivalent to 
the original string. For instance, if all the symbols are pair-wise independent of 
each other, then a string can simply be represented by listing the number of 
occurences of each occuring symbol of the alphabet in the string. In this case, 
the original string may be uncompressible, but the extra freedom afforded by 
independence allows a representation that is logarithmic in the original size. 

Many popular algorithms for string compression, such as the Lempel-Ziv 
algorithms [ZL77,ZL78] and SEQUITUR [NW97], are variant of grammar-based 
schemes, which work by essentially computing a small context-free grammar 
that generates the input string uniquely (see [KY00,CLL+02]). Such grammars 
are deterministic and contain no cycles, and hence can be viewed simply as 
hierarchical representations of the string. Larus ([Lar99]), using the SEQUITUR 
scheme, has shown that such compact hierarchical representations of sequential 
program traces can be used profitably to extract a variety of useful profiling 
information, such as detection of hotspots and hot subpaths, for analyzing and 
optimizing a program’s dynamic behavior ([Lar99,BL00]). 

While executions of sequential programs can be described naturally by strings 
of events, the behavior of a concurrent system is more appropriately modeled 
as a partially-ordered sequence of events [Lam78,Pra86,Maz87], reflecting the 
fact that if events occurring on distinct processes are not causally related their 
actual order of occurrence may be irrelevant. Message sequence charts (MSCs) 
offer a visual depiction of message exchanges in a concurrent system, and are 
used, e.g., for describing high-level requirements in the Unified Modeling Langu- 
age [BJR97]. MSCs are also best formalized as partially ordered strings. Model 
checking tools like SPIN [Hol97] generate MSCs as outputs for simulation runs 
and counterexample traces. Hierarchical representations of MSCs can be used to 
improved comprehension and visualization of such outputs which are often large. 
All this suggests that compression of partially ordered strings should be used for 
concurrent program traces to achieve similar aims as string compression achieves 
for sequential program executions. In doing so, however, we should exploit the 
extra freedom provided by the independence relation to And patterns that are 
not available in a fixed sequential view of a partially ordered trace. 

While compression has been studied for decades from both theoretical and 
practical viewpoints, we are not aware of any research that explicitly addresses 
compression of partially ordered strings.^ 

Our first class of algorithms involves adaptation of grammar-based schemes 
directly to partial-order strings. For strings it is NP-hard to And an optimal 
grammar ([SS82]) but such a grammar is approximable to within a log factor 
in polynomial time [CLL“''02]. We present two algorithms for finding potentially 
smaller grammar representations by exploiting the independence relation. Our 
first algorithm is a modification of SEQUITUR ([NW97]) that greedily chooses 
the next symbol to be processed from the minimal elements of the remaining 



^ Based on the work we have initiated here, S. Savari has begun an information- 
theoretic study of such structures based on entropy considerations [Sav03a,Sav03b]. 
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partial order by giving preference to the one that would lead to an already 
encountered pattern. Second is an offline algorithm that repeatedly replaces the 
most frequently occurring pair of dependent or independent symbols by a new 
nonterminal. As such, it does not strictly speaking produce a string grammar, 
but rather a limited form of more general graph grammars ([Eng97]). We report 
on a prototype implementation of these algorithms, and experimental results 
that indicate improvements in compression. 

Our second class of algorithms consists of representing a string by an ade- 
quate collection of projections onto subsets of the alphabet, and then compres- 
sing each projection by a grammar-based string compression algorithm or by 
one of the algorithms of the first class. A necessary and sufficient condition for 
being able to reconstruct the original string up to equivalence is that each pair 
of dependent symbols must occur in one of the projections. A natural strategy 
for projection is to project the string onto every pair of dependent symbols. 
Surprisingly, this strategy can be exponentially more succinct than the optimal 
representation using just rewriting. In fact, this exponential gap holds even for 
ordinary strings (that is, when the independence relation is empty). Further- 
more, the strategy of projecting onto dependent pairs produces output within a 
factor of d of that of the optimal algorithm in this class, where d is the number of 
dependent pairs, and this factor is tight. When the alphabet is partitioned into k 
sets such that symbols are dependent iff they belong to the same partition, then 
the natural strategy is to project the input string onto each of the partitions. 
Compared to compressing the original string, this can be exponentially better 
in the best case, and it is always within a factor of k compared to the optimal 
algorithm using just rewriting. 

Finally, the third class of algorithms allows collapsing of symbols using re- 
labeling in addition to the projections and rewriting. One strategy in this class 
is the following. For every symbol a, we project the string onto a and all the 
symbols dependent on a, then collapse all these dependent symbols to a single 
symbol b. This leads to |A| strings, each over a two-letter alphabet, and can be 
compressed separately. We show how to reconstruct the original string, up to 
equivalence, from these projections. 



2 Grammar-Based Compression up to Equivalence 

2.1 Equivalence Classes of Strings and Labeled Partial Orders 

Our model consists of a set S of terminals and an irreflexive symmetric inde- 
pendence relation I C S x S. Two terminals a,b are said to be independent if 
(a, b) G I . Intuitively, two strings are equivalent if one can be obtained from the 
other by a sequence of swaps of adjacent independent symbols. Formally, =/ 
is the smallest binary equivalence relation on S* satisfying aabr =/ abar, for 
all (a,b) G I and for all strings cr, r G S* . We shall represent the equivalence 
class corresponding to a string a by [ct]=j. Such equivalence classes are called 
Mazurkiewicz traces in the concurrency literature [Maz87]. 




Compression of Partially Ordered Strings 



45 



Equivalence classes induced by =/ correspond to labeled partial orders of a 
particular form. A labeled partial order respecting / is a structure P = {V,E,X), 
where E is a finite set of nodes, if is a set of edges over V such that the reflexive- 
transitive closure E* is a partial order over V, and A : E — >■ A is a labeling of 
nodes by terminals such that for all u,v G V, 

1. if (u,v) G E, then (A(tt),A(u)) ^ /, 

2. if (X(u),A(v)) ^ I, then either (u,v) G E* or (v,u) G E*. 

A linearization a of the labeled partial order P = {V, E, A) is a string cricr 2 • • • crp/| 
over E such that there exists an ordering v\V 2 ■ ■ ■ v\v\ of th® nodes in V satisfying 
(1) <Ji = X{vi) for 1 < i < \V\, and (2) for all {vi, Vj) G E, i < j. We can define a 
correspondence between equivalence classes of strings and labeled partial orders. 
Namely, given a string a and an independence relation I, there is an algorithm to 
construct the labeled partial order P^^ j with \a\ vertices whose linearizations are 
the strings in The details of the algorithm to construct P„j are standard, 

and omitted from this abstract. 



2.2 Grammar-Based Compression 

In grammar-based compression algorithms for strings, given an input string a, 
the algorithm computes a context-free grammar G that generates the singleton 
language {ct}. The grammar G then serves as a succinct hierarchical represen- 
tation of a. From now on, we shall refer to such a grammar as a grammar for 
a. Over the years, several interesting grammar-based string compression algo- 
rithms have been proposed. Of them, the algorithm Sequitur [NW97] has been 
used for compression as well as to gather profiling information from program 
executions [Lar99,BL00,GRM03], and is of particular interest to us. Sequitur is 
an online algorithm that greedily constructs a hierarchy out of an input string. It 
scans the input from left to right, identifies repeated pairs of adjacent symbols 
(digrams) in the representation of the input that it has processed so far, and 
replaces them by nonterminals. A grammar rule maps every nonterminal to the 
digram it represents. 

A good measure of the performance of a grammar-based compression algo- 
rithm is the size of the grammar, where the size of a grammar G is defined to 
be the sum of the lengths of the right-hand sides of all the rules in G. The opti- 
mal grammar-based compression algorithm needs to find the smallest grammar 
for the given input string. Unfortunately, this problem is NP-complete [SS82]. 
However, some recent research is aimed at finding approximation algorithms 
for this problem: Lehman et al [LS02] find approximation ratios for some pre- 
viously proposed grammar-based compression algorithms (e.g., the well known 
LZ78 has an approximation ratio 0((n/log and prove the hardness of 

approximating the smallest grammar beyond a certain constant factor; Charikar 
et al [CLL+02] present an algorithm with an approximation ratio 0{log{n/g*)), 
where g* is the size of the smallest grammar. 




46 



R. Alur et al. 



2.3 Compression up to Equivalence 

In this paper, we are interested in generating a small grammar-based repre- 
sentation of a given string up to the equivalence induced by an independence 
relation. We propose three different methodologies for achieving this, and pose 
three different optimization problems that these methods correspond to. 



Finding Optimal Equivalent Strings. In our first approach, we find a string 
that is equivalent to the input string and can be represented by a small grammar. 
The output is the grammar for this string. For example, suppose S = {a,b,c} 
and b and c are independent of each other. Then, the strategy of clustering all 
the 6’s (and c’s) together between every pair of a’s is a good heuristic to increase 
compressibility. For instance, abccbacbbc will be rewritten to (ab'^c^)^ to reduce 
the size of the grammar-based representation. The corresponding optimization 
problem is as follows. Let C{a) represent the size of the smallest grammar for 
a given string a. Then, given a string a and an independence relation I, the 
problem is to find r G such that C(r) is the minimum of the set {C(a') | 

G From now on, we refer to this optimal value C(r) as Ci{a). 



Projections and Compression. In our second approach, we consider the 
compression algorithms that project the input string onto a sequence of sub- 
sets of E such that the original string (up to equivalence) can be recovered 
from these projections, and compress the projections separately. In the example 
with E = {a, b, c} with b and c independent, we can represent a by two projec- 
tions, one onto {a, 6} and one onto {a, c}, and compress the two separately (e.g., 
abcccbacbbc will be replaced by the pair {abbabb, acccacc)). 

The projection of a string <t on a subalphabet E' G E \s obtained by erasing 
all symbols in cr that are not in E' , and is represented by a\E' . Subalphabets 
El, E 2 , ■ ■ ■ , Em Q E cover an independence relation J, if there is a reconstruction 
algorithm A such that, for all strings a, given the projections a'l Ei, A outputs 
some a' G [o']=,- 

In this case, the compression methodology is as follows. We first project 
the input string cr on a set of covering subalphabets. Then we find grammars 
for these projections using an approximation algorithm for string compression. 
The compressed representation of the string (and the equivalence class) is the 
collection of all these grammars. In order to uncompress, we regenerate the 
projections from their grammars and use a reconstruction algorithm to generate 
a string equivalent to a. Formally, the optimization problem is as follows. Given 
a cr and an independence relation I, find a cover E\, E 2 , ■ ■ . , Em for I such that 
1 G/(ct t Lfi) is minimized. Let us denote C'/(cr t -Fi) for the optimal 
cover by C^{o'). 

Relabeling, Projections, and Compression. In our third approach, we al- 
low relabeling of symbols during projections as long as the original string can 
be recovered up to equivalence. Going back to our example with independent 6’s 
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and c’s, we can represent a string by a pair, where the first one is a projection 
onto {a, 6} and the second one is obtained by renaming b to c. For instance, 
abcbccacbcbb can be represented by {abbabbb, ac^ ac^) . In this example, it is clear 
that the original string can be reconstructed up to equivalence, and relabeling 
can be exploited to minimize grammar sizes. 

A relabeling 7 is a function from S to A, and we use 7(cr) to denote the string 
obtained from a by replacing each symbol s in ct by the corresponding symbol 
7(5). A sequence of subalphabets Si, S2, ■ ■ ■ , C S and a corresponding 
sequence of relabelings 71, 72, . . . 7m are said to cover an independence relation I 
if there is a reconstruction algorithm A such that, for all strings a, given renamed 
projections 7i(crt A^), outputs some a' G [ct]=j.. The optimization problem is 
defined as in the previous case. Given a string cr and an independence relation 
I, find a set of subalphabets Ai, A 2 , . . . , Am together with relabeling functions 
71,72, ■•■7m such that the two sequences cover I, and C'/( 7 i(o’ t ^i)) is 

minimized. Let us denote the optimal sum by Note that, by definition, 

C'f(cr) < CP (a) < Cl (a) < C{a). 

3 Compression Algorithms 

3.1 Locally Greedy Algorithm for Finding Good Linearizations 

We first describe an algorithm that takes labeled partial orders as inputs, and 
outputs grammars for certain “good” linearizations. Given a string cr and in- 
dependence relation I, we can first construct the partial order P^j. Algorithm 
of Fig. 1 is an online algorithm inspired by Sequitur [NW 97 ] and traverses the 
input partial order P from top to bottom. At each step, one of the minimal 
nodes (nodes without any incoming edges from unprocessed nodes) is chosen 
and removed from P. The choice is made greedily by giving preference to a node 
that will create a digram that has already appeared. Its label a is appended to 
a list L representing the part of the input already seen. Following Sequitur, we 
enforce digram uniqueness on L; that is, if a digram xy occurs at two separate 
locations on L, they are to be replaced by a nonterminal. If this digram has not 
been seen in the input processed so far, we add a rule A — >■ xy, for some new 
nonterminal A, to the grammar. 

In our implementation of this algorithm, we maintain a map from digrams 
to positions in L. This map is maintained as a hashtable, so that we are able to 
match rules in constant time. Ghanges to the list L ~ required when a digram 
is replaced by a nonterminal - are implemented through low-level pointer ope- 
rations. At each step we contract one edge of the partial order; we terminate 
when there are no edges left to explore. Since the edge relation is the covering 
relation of the partial order, there are at most a linear number of edges. If n is 
the length of the input string, and k is the width of the partial order Pa-j (that 
is, the maximum number of pair-wise unordered symbols), then the algorithm 
runs in time 0 {k ■ n). 

Gonsider the labeled partial order P corresponding to the string cabcbac with 
a and b independent. Let us follow a run of this algorithm on P. The stages of 
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input ; Labeled partial order P = (V, E, A), 
output : Grammar G for some linearization of P. 

begin 

G ■- 0. 

List of symbols L := [A(ii;)] for some minimal element w of P. Remove w 
from P. 

Hastitable of digrams D := 0. 

repeat 

Min := Set of minimal elements of P. 
p:= last element appended to L. 

if there is v £ Min and digram A — >■ uX{v) in D then 
Remove v from P. Append q = A(u) to L 
Replace the pair pq at the end of L by nonterminal A 
If the rule A ^ pq is not already in G, then add it. In this case 
there is a previous unreplaced occurrence of pq pointed to by 5 in 
the hashtable. Replace that as well. 

Update D with digrams generated by these changes. If the digram 
uniqueness property is found to be violated, repeatedly replace the 
violating digrams by nonterminals till there is no repetition, 
else 

Choose some arbitrary v £ Min. Remove v from P. 

Add a digram A — >■ pX{v) to D for some new nonterminal A. Make 
it “point” to the current last position in L. 

Append A(w) to L. 

end 

uutil Min = 0. 

G ;= G U {S' — >■ L}, where S is a new starting nonterminal. 

Output G. 

eud 



Algorithm 1: Top-to-bottom 



Step 


List L 


Comments 


1 


c 


Only one choice. 


2 


ca 


Symbol a chosen arbitrarily. 


3 


cab 


No other choice. 


4 


cabc 


No other choice. 


5 


cabca 


Choice made to repeat digram ca. Rule A ^ ca added. 


6 


AbAb 


Symbol b appended. Digram Ab repeated. Add rule B — >■ Ab. 


7 


BBc 


End of partial order reached. Add rule S — >■ BBc. 



Fig. 1. Sample run of the Top-to-bottom Algorithm 



the algorithm are described in the table in Fig. 1. The key step is step 5, where 
a is preferred over 6 as it causes a repeating digram. 
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3.2 Replace Most Frequent Pair 

Our next algorithm is a greedy offline algorithm that chooses the most frequently 
occurring pair of dependent or independent symbols, and replaces this digram by 
a nonterminal. Consider a labeled partial order P = (V, E, A). The frequency of 
a pair of dependent symbols (p, q) is the maximum number of edges of the form 
(u,v) with A(u) = p and A(u) = q such that no two edges share an end-point 
(note that sharing of end-points can happen when p = q); while the frequency of 
a pair of independent symbols (p, q) is the maximum number of pair-wise disjoint 
sets of nodes of the form {u,u} such that \{u) = p, \{v) = q, and neither uE*v 
nor vE*u. The contraction of (m, v) G if by a node w is the following operation 
on P\ remove u,v from V; add w to V; replace (s,t) € E, where t G {u,u} and 
s yf M, by (s,w); replace (s,t) G E, where s G {u, u} and t yf w, by (ru,t); and 
remove (u,v). For a pair (u,v) of unrelated nodes, the contraction by a node 
w is defined similarly: remove u,v from V, add w to V; replace (s,t) G E with 
t G {u,v} by (s,w); and replace (s,t) G E with s G {u,v} by (w,t). Finally, we 
will modify our definition of the labeling function A a bit so that a labeled partial 
order can also have nodes labeled with arbitrary nonterminals. The definitions 
of frequency and contraction apply to such nodes also. If such a new node w is 
labeled with a new nonterminal A, then A is declared to be dependent on all the 
symbols that are dependent on p as well as the symbols dependent on q. 

At each step of this algorithm, we identify a pair of symbols (p, q) with the 
maximum frequency. Then we add a rule A — >■ pg, for some new nonterminal A, 
and contract a disjoint collection of node pairs labeled (p, q) by a node labeled A. 
Computing the frequency of dependent pairs is straightforward, we simply need 
to scan all the edges and maintain a count for every pair of symbols. Computing 
the frequency of independent symbols requires more care, we need to make sure 
that if a node labeled p is unrelated to two nodes labeled g, then only one pair 
gets counted to the frequency of (p, g). In this case, matching the p-labeled node 
with the first possible g-labeled node that is a potential match, is a safe strategy 
to maximize the count of disjoint pairs. Note that the resulting grammar is not, 
strictly speaking, a string grammar because we are also allowed to introduce 
new nonterminals for pairs of independent symbols. Rather, it can be viewed 
as a limited form of more general graph grammars ([Eng97]), and hence as a 
generalization of the grammar-based string compression approach to a graph 
grammar-based approach for compression of partial orders. 

Consider again the labeled partial order P corresponding to the string cabcbac 
with a and b independent. At the first step, we have to choose a set of disjoint 
edges labeled by the same symbol-pairs. We arbitrarily choose the symbol-pair 
(a,c) (we could also have chosen (6, c), (c, a), (a,b) or (c,b), all have frequency 
2), add the rule A — >■ ac, and contract. The partial order now becomes the one 
corresponding to the string cbAbA. At the next step, we contract the two edges 
labeled (6, A) and add a rule B — >■ bA. The partial order now becomes a chain 
cBB. There is no way to contract further. 
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input : Projections Oi, 1 < i < m, with ai = Ei. The following condition 
is satished: for all (a, h) ^ 7, there is an i such that a,h G Ei. 
output : A string a' satisfying a' =/ a. 

begin 

Pi < — 1 for each 1 < i < m 

Proja < — {i : a £ Ei} for each a £ E 

j^O 

repeat 

Select a £ E such that for all i £ Proj^, we havepi < |ui| and Oi{pi) = a 
Pi := Pi + 1 for all i £ Proj^ 

— a; j ■■=j + l 

until no such a can be selected. 

end 

Algorithm 2: A reconstruction algorithm 



3.3 Algorithms Using Projections 

The first step in the algorithms that employ projection is to compute a cover 
for the given independence relation. The next theorem identifies a key property 
of the cover. (We have been informed that [CP85] contains this result. We pro- 
vide a proof here for completeness and because our proof provides an efficient 
reconstruction algorthm which we use.) 

Theorem 1. ([CP85]) Subalphabets Ei, E 2 , ■ ■ ■ , Em cover an independence re- 
lation I ijf for all (a, b) ^ I, there is an i such that a,b £ Ei. 

Proof: (=l>) Suppose there is a pair of symbols (a,b) ^ I such that there is no 
i with a,b £ E^. Then, the projections of the non-equivalent strings ab and ba 
will be identical, and hence, reconstruction is impossible. 

{<=) For this direction, we give a reconstruction algorithm for any set of 
subalphabets satisfying the above condition. In Algorithm 2, a{i) represents the 
f-th symbol of a. The algorithm keeps a current pointer 1 < Pi < \ai\ for each 
projection 1 < i < m. For each projection we advance this pointer from the 
beginning to the end. The correctness proof is omitted due to lack of space. ■ 

The reconstruction algorithm, with appropriate book-keeping, can be made 
to run in time linear in the size of its input (that is, the sum of the sizes of the 
projections). In the context of this theorem, a reasonable strategy is to project on 
a set of maximal cliques covering all the edges in the graph for the complement D 
of the independence relation. We present two special cases of this methodology. 

— The algorithm edge-cover projects on the set of subalphabets {a, b} for 
every pair (a, b) in the complement D of the independence relation I. This 
algorithm can be optimized by considering only the pairs (a, b) such that the 
dependency is realized within the input string cr, that is, the partial order 
Paj contains an edge whose endpoints are labeled with a and b. 
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~ An interesting special case is when the independence relation is a fc-partite 
graph: the alphabet S is partitioned into sets Si, . . . S^, such that two sym- 
bols are independent iff they belong to separate partitions. In this case, this 
partition makes a natural choice for the clique cover. 



3.4 Algorithms with Relabeling and Projection 

If the subalphabets Sj and relabelings "fj cover an independence relation I, then 
for (a, 6) ^ I, there must be an index j such that a,b € Sj and jj{a) ^ 1 j{b). 
That is, a necessary condition for reconstruction is that every pair of dependent 
symbols must belong to a projection whose relabeling does not collapse them. 

Now, we present an alternative to the covering the dependency graph using 
cliques. Given an independence relation I, for every symbol a G S, let Sa = 
{b G S \ (a,b) ^ /} be the set of symbols dependent on a. Let # be a special 
symbol that is dependent on every symbol, and let 7 a be the relabeling that 
maps a to a and renames all other symbols to #. The strategy star-cover is to 
project the input string onto Sa, and apply the relabeling 7 a before applying 
the standard string compression. Note that, like the edge-cover algorithm of the 
previous section, this strategy also leads to a collection of 2-symbol strings, but 
now, we are guaranteed that we have only lAj projections, one per symbol in S. 

Theorem 2. The subalphabets Sa and relahelings ja, for each a G S, cover the 
independence relation I. 

Proof: The reconstruction algorithm is similar to Algorithm 2. Let a a = 7a (cf 
Sa). As before, we maintain a pointer pa for each projection Ua- At every step, 
we try to select a symbol a G S such that aa{pa) = a and for each b G Sa with 
b ^ a, at{pb) = #. If such a symbol a is found, the algorithm outputs a, and 
increments all the pointers pb for b G Sa- If there are two such symbols, then 
they must be independent, and the choice does not matter. ■ 



3.5 Experiments 

In this section, we discuss preliminary experimental results for the top-to-bottom 
and replace-most-frequent compression algorithms presented earlier. We experi- 
mented with two distributed programs shipped as demos with the popular SPIN 
verification toolkit [Hol97]. One of them (mobilel) is a model of a cellphone 
hand-off strategy, the other (pftp) is a flow control protocol. These models con- 
sist of a number of processes communicating through message channels. Now 
consider the natural alphabet of send and receive events. There is a natural de- 
pendence relation on this alphabet: any send is dependent on the corresponding 
receive. Also, the local clock for every process defines a dependence between any 
two sends or receives that it participates in. Such an independence relation indu- 
ces a special subclass of labeled partial orders called message sequence charts. We 
made SPIN perform random simulations of pftp and mobilel and produce mes- 
sage sequence charts (MSCs) of different lengths. These MSCs were fed as inputs 
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MSG size 


Sequitur (random linearization) 


Top-to-bottom 


Replace-most-frequent 


20000 


13800 


5612 


4203 


40000 


24945 


9679 


7123 


60000 


35490 


13441 


12226 


80000 


45617 


16641 


22157 


100000 


55228 


19759 


- 



Fig. 2. Grammar representations constructed by different algorithms: mobilel 



MSG size 


Sequitur (random linearization) 


Top-to-bottom 


Replace-most-frequent 


20000 


7048 


4474 


3457 


40000 


12470 


7571 


5128 


60000 


17433 


10700 


12461 


80000 


22026 


13453 


15233 


100000 


27081 


15456 


- 



Fig. 3. Grammar representations constructed by different algorithms: pftp 



MSG size 


Size of Sequitur output on different linearizations 


20000 

40000 

60000 

80000 

100000 


5612, 7381, 8909, 11584, 13800 
9679, 12303, 18911, 21526, 24945 
13441, 20121, 27212, 31443, 35490 
16641, 23117, 30235, 39318, 45617 
19759, 30257, 38221, 47116, 55228 



Fig. 4. Impact of the choice of linearization on Sequitur 



to implementations of algorithms Top-to-bottom and Replace-most-frequent. We 
also fed random linearizations of these charts to the string compression algorithm 
Sequitur. A performance comparison is described in Figs. 2 and 3. The tables 
compare average sizes of grammar representations of MSCs of given lengths. 
The quadratic-time algorithm Replace-most-frequent did not terminate within 
a reasonable time for the longest input. 

The above results suggest there is a practical advantage in choosing a linea- 
rization judiciously (as opposed to randomly). We experimented with this sepa- 
ration more, by studying the performance of the Sequitur algorithm on different 
linearizations of an MSC outputted by mobilel (Fig. 4). These linearizations 
are chosen with various “degrees” of arbitrariness. More precisely, while genera- 
ting a linearization, we proceed along the lines of the Top-to-bottom algorithm, 
but make random choices at some of the steps. Of course, we cannot hope to 
generate the entire spectrum of linearizations of a large MSC this way; however, 
we do seem to get linearizations nicely covering the space between random and 
greedily chosen linearizations. Note that it is very possible that linearizations 
with much smaller grammars exist; it is just not easy to find them. 
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4 Bounds on Performance 

In this section, we provide some theoretical bounds for the compression problem 
and strategies mentioned in the previous section. 

We first demonstrate an exponential separation between the optimals Cj 
and Cj . We encode the sequence (0, 1, 2, . . . , 2^ — 1) in binary as follows. Our 
alphabet is if = {#} U &^}). The special symbol # will separate 

two successive numbers in the sequence. The encoding of a number that has 0 
or 1 as its j-th bit will have, respectively, or as its j-th bit. That is, we 
consider the string 

a = ^blhl..hUh\hl . . . ■■■■ 

Our independence relation is I = ^ 6j}. In other words, distinct 

6f-s are independent of each other and are all dependent on In any string that 
is equivalent to cr, the set of symbols between every pair of #’s encodes a distinct 
number 0 < n < 2^. This makes such a string incompressible using grammar- 
based algorithms; intuitively, every interval between successive ^’s contributes 
at least one symbol to the grammar. Formally, we show that the application of 
the Lempel-Ziv compression algorithm [ZL77] to a compresses it at most by a 
factor k. Then we will use a relation between Ci{a) and this compressed form 
proved by Charikar et al. [CLL+02] to show that Ci{a) is smaller than a by at 
most a factor of k. Finally, we show that C'j(cr) is logarithmic in |cr|. 

Lemma 1. If t =/ cr, then LZ 77- encoding of t is 17(2^). 

Proof: The LZ77 algorithm describes a string w using a sequence siS 2 . . . Sd of 
widgets. Each widget Sj is either a symbol of the alphabet of w or of the form 
Si = (j,r). Intuitively, the latter means “start at the position j of the string 
encoded by Si . . . Si_i and read the next r symbols.” More precisely, a widget 
(j, r) represents the substring w{j)w{j -I- 1) . . . w{j -I- r — 1), assuming the length 
of the string represented by si . . . Si_i is at least j. 

We show there is no way to encode any consistent ordering of a with fewer 
than c2^ widgets, for some c. Assume S = s\ ... Sd the LZ77 form for some 
ordering r of a. Then no widget of the form Si = (j, r) in S can encode a 
substring containing two or more occurrences of symbol ff. This is because the 
set of b's that occurs between each pair of #’s in t is unique, and thus there 
is no part of si . . . Si-i that one can refer to obtain the same set, irrespective 
of how 6’s are ordered. Consequently, we can have at most two ff in the string 
denoted by (j, r), and thus r < 2k. Then the claim holds for c = 1/2. ■ 

The result of [CLL+02] shows that if A is the length of the LZ77-encoding 
of a string a, then A < C(CT)log|cr|. It follows that Ci{cr) = 17(2^). Suppose 
the edge-cover algorithm will project a onto subalphabets Si^d = {bf, #}, where 
i £ {1, . . . ,k} and d G {0, 1}. There are 2k such subalphabets. It can be shown 
that each of these projections has a periodic nature and, as a result, a grammar 
of size 0{k). For instance, the projection on 6^ ^nd # is (#6^#)^ . This 

shows that Cj{a) = 0{k^). Note that the choice of k is arbitrary in the above. 
Consequently, we conclude the following theorem: 




54 



R. Alur et al. 



Theorem 3. For each n, there is an alphabet E, an independence relation I 
and a string <j such that \a\ > n and Ci{a) = J7(2l'^IC'j(cr)). 

It is worth noting the exponential separation holds even when the independence 
relation is empty, that is, even for compressing ordinary strings. Consider the 
string in the above proof. Clearly, cr itself cannot be compressed. Now, all symbols 
are pair-wise dependent, and there are projections. It is easy to verify that 

projections onto each pair {b^,b‘j} is periodic and has a grammar of size 0{k). 
Thus, CP (a) = O(k^). 

Now we proceed to give an upper bound for the edge-cover algorithm which, 
given a string a, projects it onto each edge (a, b) in the complement D of the 
independence relation I. Let these projections be called tti, 7T2, . . . , tt^. Let Cf{a) 
be the sum of C{TTi). 

Theorem 4. For all strings <j and independence relations I, Cj{(r) < \E\^C^{a). 

Proof: Consider the projection tt of the string cr on a pair (a, b) of dependent 
symbols. In the optimal projection based algorithm, one of the covering sub- 
alphabets Ej must include the pair (a,b). Let r be a string that is equivalent 
to afEj. Consider a grammar G for r. Note that rt{a, equals tt. We can 
remove all other terminals from each rule of G to get a grammar for tt without 
increasing the size of G. Therefore, G(7 t) < G(r). Hence, G(7 t) < Ci(ii f Ej), 
and G(7 t) < Gj(ct). There are at most \E\^ edges in D, and the result follows. ■ 

To compress projections of a onto single pairs of dependent symbols, we can 
use any grammar based algorithm, in particular, the algorithm by Charikar et 
al [CLL+02], thereby approximating Cj{a) up to factor |27plog {\a\/g*), where 
g* is the size of the optimal grammar. The bound for the edge-cover strategy is 
tight. Suppose E = {ai, . . . Uk} such that all symbols are dependent. Consider 
the string cr = (oi • • • Ofc)". The grammar of a is of size k + log n, while the 
grammar for each crt{ai, aj} is of size log n, and thus, G|(ct) is log n. 

An interesting special case for the clique-cover is when the alphabet is union 
of disjoint alphabets Ei,. . . Ek and two symbols are dependent iff they belong 
to the same partition Ei. In this case, a natural choice for cover is the parti- 
tion El, . . . Afe. Let Cf{a) denote the sum of C{a f Ei). This strategy can be 
quite beneficial over compressing the original string. For example, if there are 
two independent symbols a and b, then a random string a won’t compress well, 
while the two projections onto individual symbols carry the minimal informa- 
tion, namely, the number of a’s and number of 6’s. As the next theorem shows, 
projecting onto cliques can be worse than compressing the original string, or 
even an equivalent linearization, by at most by a factor of the number of cliques. 

Theorem 5. If the alphabet is a disjoint union of k cliques, then for any string 
a, Cj{a) < kCi{a). 

Proof: The proof is similar to the proof of Theorem 4. Consider any clique Ei in 
D, let TTi = afEi, and let r be any string equivalent to a. Since all the terminals 
in Ei depend on each other, one can show that the size of the optimal grammar 
for 7Ti is bounded by the size of the optimal grammar for r. ■ 
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Again, this bound is tight. Suppose S = {ai, . . . Uk} such that all symbols 
are independent (that is, there are k singleton cliques). Consider the string a = 
(oi • • • Ofc)". The grammar of cr is of size k + log n, while the grammar for each 
crt{ai} is of size log n, and thus, Cf{a) is /clog n. 

Finally, for the star-cover algorithm that uses both projections and relabeling, 
we can show that every relabeled projection 7a(crt'^a) has a grammar of size at 
most that of the smallest grammar for any string equivalent to the original. 

Theorem 6. For all strings a and independence relations I, for each a G U, 

C(7a(atT'a)) <C/(a). 

5 Conclusions 

In this paper, we have formulated and initiated the study of the compression 
problem of partially ordered strings. It is worth noting that even for compres- 
sion of ordinary strings, the use of projections and relabeling, and the resulting 
succinctness of the representation, has not been studied earlier. While we have 
shown that projection can lead to exponential succinctness for a class of strings, 
it remains to be seen if projections, possibly augmented with relabeling, can be 
engineered to lead to practical general compression techniques. 

There are many directions for future research. The application to profiling 
of executions of concurrent programs, and for visualization large MSCs genera- 
ted by tools like SPIN in compact form, both seem promising. A recent paper 
applies standard string compression techniques to parallel program executions 
[GRM03], and our techniques can potentially improve their results. Compres- 
sion of partially ordered strings can be studied from an information theore- 
tic perspective. Based on the work we have initiated here, Savari has begun a 
study of the graph entropy of such structures and of rewriting strings to normal 
forms [Sav03a,Sav03b] . We would also like to sharpen the approximability of the 
optimization measures introduced in this paper. In particular, approximability 
bounds for the measure C/, and improving the |Ap bound for the measure Cf, 
are open problems. Finally, it would be interesting to study compression of la- 
beled partial orders based on more general classes of graph grammars ([Eng97]) 
than those implicit in Algorithm 1. 

Acknowledgements. Thanks to Scrap Savari for discussions and comments. 
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Abstract. We investigate which event structures can he denoted by means of 
closed CCS U CSP expressions. Working up to isomorphism we hnd that 

• all denotable event structures are bundle event structures, 

• upon adding an infinitary parallel composition all bundle event structures are 
denotable, 

• without it every finite bundle event structure can be denoted, 

• as well as every countable prime event structure with binary conflict. 

Up to hereditary history preserving bisimulation equivalence finitary conflict can 
be expressed in terms of binary conflict. In this setting all countable stable event 
structures are denotable. 



Introduction 

In concurrency theory many languages for the representation of concurrent systems 
have been proposed, including CCS, SCCS, CSP, Meije, ACP, COSY and LOTOS, all 
in several variations. Although most of these languages were originally equipped with 
an interleaving semantics, concurrency respecting interpretations have been proposed 
by various authors, using semantical models like Petri nets, event structures, transi- 
tion systems - optionally with additional structure to represent causal independence - , 
causal trees, families of posets, etc. In recent years it has been established that there are 
canonical translations between most of these models, thereby making them into different 
representations of one and the same semantic concept [13,17,2,19,6]. In addition, the 
languages mentioned above are to a large extent intertranslatable, and can be regarded 
as dialects of one and the same system specification language. 

This paper deals with the question which of these unified semantic objects can be 
denoted by closed expressions in this unified language. As a representative semantic 
model we take the event structures from Winskel [17]. Our findings can then be trans- 
mitted to other models by means of the canonical translations found in the literature. 
As a representative language we combine some operators from CCS [12] and CSP [3, 
9]. Following a suggestion of Mogens Nielsen, such a combination is called CCSP. Our 
version of CCSP is sufficiently expressive to emulate most constructions from other 
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languages found in the literature, including the ones provided with an event structure 
semantics in [17], The chosen combination of operators appears to be optimal for carry- 
ing out the constructions in this paper. However, many other combinations would lead 
to the same results. 

In [17] the subclass of stable event structures is defined, as well as the further 
subclass of prime event structures. In [18] a subclass of event structures with a binary 
conflict relation is proposed (see Fig. 1 below). The prime event structures with binary 
conflict are exactly the (finitary) event structures originally introduced in [13]. It is well 
known that unstable event structures cannot be represented in CCSP-like languages in a 
causality respecting way. It is an interesting quest to extend such languages with novel 
operators that make this possible. This quest is not pursued here; we will be happy to 
just find out which of the stable event structures are denotable. 

It is unreasonable to expect to find a CCSP expression denoting a given event structure 
exactly. Hence we will try to find for any given stable event structure a CCSP expression 
whose denotation as event structure is semantically equivalent. This makes our quest 
parametrised by the choice of a suitable semantic equivalence. We consider three choices 
for this parameter: isomorphism, history preserving bisimulation equivalence and (in this 
introduction only) ST-bisimulation equivalence. 

Denotability up to Isomorphism. Up to isomorphism we characterise the denotable 
event structures as the bundle event structures proposed in Langerak [1 1]. As we will 
recall in Sect. 1, these include all prime event structures with binary conflict, and are 
included in the stable event structures with binary conflict (cf. Fig. 1). In [1 1] examples 
can be found showing that these inclusions are strict. 



prime ^ 






bundle 

J 



stable 



event structures 



binary conflict 



Fig. 1. Several classes of event structures 



Our characterisation of the bundle event structures as the event structures that can 
be expressed by CCSP expressions is exact when dealing with the original finite bundle 
event structures and recursion-free CCSP. Our characterisation is also exact when dealing 
with arbitrary infinite bundle event structures and a version of CCSP with an infinite 
parallel composition operator. However, when dealing with countable event structures 
and CCSP expressions with arbitrary systems of recursion equations, or with recursive 
enumerable event structures and a recursive enumerable version of CCSP, all we can 
show is that the denotable event structures are a subclass of the bundle event structures 
that include all prime event structures with binary conflict. 

In Sect. 2 a denotational semantics of CCSP is given in terms of event structures with 
binary conflict. This semantics follows the standard lines of [17,18]. In the same section 
we show that the class of bundle event structures is closed under the CCSP operators, 
thereby establishing that CCSP expressions can denote bundle event structures only. 
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Along the same lines one can show that the bundle event structures are closed under 
action refinement [5], the choice operators □ and □ of CSP, and many other operators 
found in the literature. We are not aware of any operator interpreted on event structures 
for which the class of bundle event structures is not closed. 

In Sect. 3 we show that up to isomorphism 

• swery finite bundle event structure can be denoted by a recursion-free CCSP expres- 
sion, 

• every countable prime event structure with binary conflict can be denoted by a CCSP 
expression, 

• and every bundle event structure can be denoted by a CCSP expression with an 
infinitary parallel composition. 

We also provide a recursive enumerable version of the second result. The same results 
can be obtained for the language of [17,18]. 

Denotability up to Hereditary History Preserving Bisimulation Equivalence. The 

concept of history preserving bisimulation equivalence stems from Rabinovich & 
Trakhtenbrot [15] and was adapted to event structures in Van Glabbeek & Goetz 
[5]. There it was suggested that the notion could be regarded as the coarsest equivalence 
that takes the interplay of causality and branching time completely into account. This 
makes the equivalence a semantically interesting choice of parameter to instantiate our 
quest with. We arrive at the positive conclusion that up to history preserving bisimulation 
every countable stable event structure can be denoted by a CCSP expression. This result 
is obtained in three steps, the first of which is the aforementioned denotability by CCSP 
expressions of countable prime event structures with binary conflict. In Sect. 4 we extend 
this to countable stable event structures, by observing that that every countable stable 
event structure with binary conflict is history preserving bisimulation equivalent with a 
countable prime event structure with binary conflict. 

In Sect. 5 we complete the proof by showing that every countable stable event 
structure is history preserving bisimulation equivalent with a countable stable event 
structure with binary conflict. This result was first claimed by us in [8] for hnite prime 
event structures. The claim was strengthened in [6] to include infinite ones. The first 
published proof (for prime event structures) appears in Nielsen & Winskel [14], who 
discovered the result independently. Their proof is somewhat nonconstructive however, 
in the sense that there is no construction giving a specihc countable event structure with 
binary conflict for any given countable stable event structure with arbitrary conflict. Our 
proof offers such a construction and is somewhat shorter as well. 

The results above hold even when merely working up to hereditary history preserving 
bisimulation equivalence, which is a finer variant of history preserving bisimulation 
equivalence, proposed by Bednarczyk [1]. 

Denotability up to ST-Bisimulation Equivalence. The coarser ST-bisimulation equiv- 
alence, proposed in Van Glabbeek & Vaandrager [7], respects branching time and 
the possibility of actions to overlap in time, but abstracts from the faithful modelling of 
causality. By Theorem 1 in Van Glabbeek & Plotkin [6], every event structure, stable 
or not, is ST-bisimulation equivalent to a prime event structure. This result keeps being 
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valid when assuming and requiring countability. It follows that up to ST-bisimulation 
equivalence every event structure can be denoted by a CCSP expression. 

1 Bundle Event Structures 

Bundle event structures are introduced in Langerak [11]. Here we add the alphabets 
for typed bundle event structures and generalise the notion to structures with infinite sets 
of events. 

Definition 1. A (typed) bundle event structure is a 5-tuple E = {E, i— >■, A, 1) where 

• if is a set of events, 

• # C if X if is an irreflexive and symmetric relation, the conflict relation, 

• i-A C 2 -® X if is the. bundle set, satisfying A i-A e Vei, 62 G A. ei ^62 => ei#C2, 

• A is a set of actions, the alphabet of E, 

• and Z : if — >■ A is the labelling function. 

A bundle event structure represents a concurrent system in the following way: action 
names a G A represent actions the system might perform and an event e G if labelled 
with a represents an occurrence of a during a possible run of the system. In order for e to 
happen it is necessary that for every bundle A i-A e, one of the elements of A occurred 
previously. The conflict dfl^e means that the events d and e cannot happen both in the 
same run. 

The components of a bundle event structure E will be denoted by Ee, #e, Ae 
and Ze; a convention that will also apply to other structures given as tuples. 

The behaviour of a bundle event structure is described by explaining which subsets 
of events constitute possible (partial) runs of the represented system (thus formalising 
the interpretation of the bundle sets and the conflict relation). These subsets are called 
configurations. The causal relationships between events in a configuration x can be 
represented by a partial order < 3 ,. 

Definition 2. The set C(E) of (finite) configurations of a bundle event structure E = 
(if, i-A, A, Z) consists of those finite x Q E which are 

• conflict-free: # fl (x x x) = 0 , 

• and secured: 

3ei, ...,e„ (n > 0) : x = {ci, ...,e„}AVZ<n (A Cj+i ^ {ei, ...,ei}f\Y ^0). 

The causality relation <x on x G C(E) is {{d,e) G x x x \ 3Y : d G Y i-G- e}“*'. 
Here i?+ denotes the transitive closure of a relation R. 

Following [5], we only consider finite configurations here; since the infinite configura- 
tions which are usually considered are completely determined by the finite ones, this 
causes no loss of generality. Note that if e G x G C'(E) and Y 1 — >-e e then x fl A has 
exactly one element. Hence is always a partial order. 

We now define the prime and the stable event structures with binary conflict, stem- 
ming from WiNSKEL [18], and show that the bundle event structures can be regarded as 
a generalisation of the former and a special case of the latter. 
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Definition 3. A (typed) prime event structure with binary conflict 
is a 5-tuple E = (E, <, A, 1) where 

• E, A, and I are as above, 

• < C E X E isa partial order such that fle G E : {d G E \ d < e} is finite, 

• and C E X E is an irreflexive, symmetric relation satisfying 

fld,ej G E : d < eA dflf ^ e#/. 

Here d < e means that d is a prerequisite for e. Prime event structures with binary 
conflict can be regarded as special bundle event structures, by defining 

X e X = {d} Ad < e. 

The definition of configurations given above is then consistent with the one in [18]. 

Definition 4. A (typed) event structure with binary conflict 
is a 5-tuple E = (E, h, A, 1) where 

• E, A, and I are as for bundle event structures. 

Con = {X C E \ X finite and dfle for no d,e G X} is the consistency predicate, 

• and h C Con x E is the enabling relation, satisfying 

XG eAX CY G Con^YG e. 

E is stable if F h e implies that there is a least subset A of F with X G e. 

X G e means that AT is a possible cause of e in the sense that e can occur only if for 
certain F with F h e all events in F have occurred before. 

Definition 5. The set C(E) of (finite) configurations of an event structure with binary 
conflict E = (E,fl^,G,A,l) consists of those finite x C E which are 

• conflict-free: fl D (x x x) = $, i.e. x G Con, 

• and secured: 3ei , ..., €„ (n > 0) : x = {ei, ..., e„} A Vi < n {ei, ..., e^} G Cj+i. 
The causality relation on a; is {(d, e) G a; x x | VF : Y G e ^ d G F}"*'. 

The causality relation gives a faithful description of the causal relations in a configuration 
only if E is stable. As shown in [17,18], unstable event structures can model causal 
relationships that cannot be captured in terms of partial orders. The following shows 
how bundle event structures can be regarded as special stable event structures with 
binary conflict. 

Definition 6. Given a bundle event structure E= (E,fl^,t-^,A,l), the associated event 
structure with binary conflict f(E) = (E, h, A, 1) is given by 

XGe ^ X G Con AflY: (Y ^ XnY 

Proposition 1. f (E) is always stable. Moreover, the translation £ preserves configura- 
tions and the causality relations <x on them. 



Proof. Straightforward. 
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2 A Denotational Event Structure Semantics of CCSP 

CCSP is parametrised by the choice of an infinite set Act of actions, that we will assume 
to he fixed for this paper. We also assume an infinite set V of variable names. A variable 
is a pair Xa with X G V and A C Act. The syntax of CCSP is given hy 

P::=0a I aP I P+P I P||P | P(P) | | (with G Cs) 

with A C Act, a G Act, R C Act x Act, X G V and S a recursive specification: a set 
of equations {A^ = Pxa I G Ps} with Vs C V x Act (the bound variables of 
S) and a{PxA) = A for all Xa G Vs (were o;(Px^) is defined below). The constant 
0/1 represents a process that is unahle to perform any action. The process aP first 
performs the action a and then proceeds as P. The process P + Q will behave as either 
P or Q, II is a partially synchronous parallel composition operator, R a renaming, and 
{Xa I S) represents the A^-component of a solution of the system of recursive equations 
S. A CCSP expression P is closed if every occurrence of a variable Xa occurs in a 
subexpression (Yb\S) of P with Xa G Vs. An expression aO 0 is abbreviated a. 

Just like the version of CSP from Hoare [9], the version of CCSP used here is a 
typed language, in the sense that with every process P an explicit alphabet a(P) C Act 
is associated, which is a superset of the set of all actions the process could possibly 
perform. This alphabet is exploited in the definition of P||Q: actions in the intersection 
of the alphabets of P and Q are required to synchronise, whereas all other actions of P 
and Q happen independently. Because of this, processes with different alphabets may 
never be identified, even if they can perform the same set of actions and are alike in 
all other aspects. It is for this reason that we interpret CCSP in terms of typed event 
structures. The constant 0 and the variables are indexed with an alphabet. The alphabet 
of an arbitrary CCSP expression is given by: 

• a(0/i) = a(A^) = a((A/i|S')) = A 

• a{aP) = {a} U a{P) 

• a{P + Q) = a{P\\Q) = a{P) U a{Q) 

• a{R{P)) = {6 I 3a G o;(P) : (a, b) G R}. 

Substitutions of expressions for variables are allowed only if the alphabets match. For 
this reason a recursive specification S is declared syntactically incorrect if a{PxA ) A 
for some Xa G Vs. 

Below we define the CCSP operators formally on the domains of (typed) bundle 
and stable event structures with binary conflict. As our bundle and stable interpretations 
agree on the components E, A and I, they will be given as 6 -tuples (P, i-A, h, A, 1), 
so that the bundle interpretation is found by dropping h, and the stable interpretation 
by dropping i-A. When E is an event structure representing a CCSP expression P then 
Ae = C({P). Hence we can abstain from explicitly mentioning the A-component in the 
forthcoming constructions. 

Definition 7. The operators of CCSP are defined on event structures as follows: 
Inaction: Eq^ = (0, 0, 0, 0, A, 0). 
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Action prefix (for a G Act): 

• EaE = {a} u {ae \ e G E^} 

• laE{a) = a and laE(ae) = l^{e) 

• #aE = {(ae, oe') | e#Ee'} 

• *-^aE= {(aAT, ae) \ X i-Ge e}U{({a}, ae) \ eGE-^} in which aX = {ae | eG AT} 

• l“oE= {(AT, a) I AT G CoUa^} U {(dAT U {a}, ae) \ X Ge e}. 

Alternative composition: 

• -E^Ei+Ea = l+ie I e G -EeiI U (+26 | e G -E^Eal 

• fei+E2(+ie) = (Ei(e) (t=l,2) 

• #Ei+E 2 = l(+ie,+*e') I e#EiS', i = l,2}U 

K+iC, +j/) I e G i?Eij / G Eej, i^j} 

• m>Ei+E 2= {{+rX, +*e) I X H>Ei e, 1=1, 2} in which +iX = {+ie | e G AT} 

• I“Ei+E 2= [i.+iX,+ie) I X l-Ei e, z=l,2}. 

Parallel composition: 

• £^e||f = l(e||*) I hie) ^ ^If} U {(*||/) | hif) ^ ^e} 

U {(e||/) I lE{e) = hif) G Ae n Ap} 

• ^E||F(e||*) = Isie), ^e||f(*||/) = h{f) and (E||F(e||/) = Ie^s) = h{f) 

• #E||F = {(e||/,e'|l/') I (e||/ e'|l/')A(e#Ee'Ve = eV*V/#F/'V/ = /V*)} 

• ^E||F= {(^||F, e\\f) I X ^E e} U {(E||r, e\\f) | F ^f /} 

in which X||F = |(e||/) G Ee||f I e G X} and E||F = |(e||/) G Ee||f \f&Y} 

• Fe||f= e||/) I (e = * V ■n\{X) Ge e) A (/ = * V tt 2 {X) Gf /)} 
in which 7ri(AT) = (e G Ee | 3/ G Ep U {*} : e\\f G X} 

and tt 2 {X) = {/ G Ep | 3e G Ee U {*} : e\\f G X}. 

Relational renaming (for R C Act x Act): 

• F^fl(E) = {Ef,e I e G Ee, {lE{e),b) G R} 

• lR{E){Rbe) = b 

• #fi(E) = {(Ebe, Rcc') I e#Ee' V (e = e' A 6 c)} 

• '-^fi(E)= |(E(A'),Ebe) I X i-g-e e} 

in which R{X) = {Rte | e G A" A {lE{e),b) G E} 

• Gjb(E)= |(A:,Et,e) I a: G ConAR~^{X) G e} 

in which R~^{X) = (e G Ee | 36 G A^;(e) : Rbe G X}. 

The semantics for 0, aE, E + F and E||F follows the lines of [17A8,2,11]. Relational 
renaming appears in [ 1 6] and [4] . For every relation R C Act x Act there is an operator R 
that replaces each occurrence of an action a by fresh occurrences of the actions { b \ aRb} . 
These occurrences are pairwise in conflict, and inherit their causal relationships from 
their source. The relabelling operators of CCS [12], CSP [3] and Winskel [18] are 
special cases where E is a function; the inverse image operator of CSP [3] is the special 
case where R is the inverse of a function. In case R{a) = 0, the definition implies that 
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the events labelled a are removed; thus also the restriction operators of CCS and [18] 
constitute special cases of relational renaming. Relational renaming in turn is a special 
case of action refinement, as studied for instance in [5]. Also note that every relational 
renaming operator can be written as the composition of an inverse image operator and a 
functional renaming operator. 

The meaning of the recursion constructs {Xa \ S) can be given by means of least 
fixed point techniques, see e.g. [17,18]. The fact that we allow recursive specifications 
of arbitrary size (in [17,18] they are of size 1) does not create complications; we will 
not repeat the definitions here. Following the standard denotational approach this yields 
a bundle event structure [[P]] and a general event structure |P]]f for every closed CCSP 
expression P. For open CCSP expressions |P]j and |P]]£ are functions from valuations 
of the variables to event structures. 

Proposition 2. For every CCSP expression P we have f([[P]]) = [[P]lf:. Hence the 
bundle event structures, seen as a subclass of the stable event structures, are closed 
under the operators of CCSP. 

Proof Straightforward with Definition 7. 

3 Denoting Bundle Event Structures in CCSP 

In this section we address the question which event structures can be denoted by closed 
CCSP expressions of various kinds. As the events in structures [[P]] with P a closed 
CCSP expression have very particular names, whose choice seems to carry little se- 
mantic relevance, it is for this purpose most appropriate to study event structures up to 
isomorphism. Here two event structures E and F are isomorphic (E = F) iff Ae = Ap 
and there exists a bijection between their sets of events preserving i— (resp. h), # and 
labelling. Later we will see if the class of denotable event structures increases when 
considering a coarser equivalence. 

The following proposition allows us to exchange, within a recursion-free CCSP 
expression, a closed subexpression by another expression denoting an isomorphic event 
structure. 

Proposition 3. (Congruence) Let E, E' and F be event structures with E = E'. Then 
oE ^ a&'fora G Act, E-fF ^ E'-fF, F-fE ^ F-fE', E||F ^ E'||F, Fp ^ F||E' 
and P(E) = R(EI) for R : Act — >■ Act. 

Proof. Immediate from the definitions. 

The next one, essentially due to Ho are [9], allows us to drop brackets and abstract from 
the order of components in nested parallel compositions. 

Proposition 4. Let E,F and G be event structures. Then E||(F||G) = (E||F)||G and 
E||F ^F||E. 

Proof. Straightforward. 

Now we are ready to state the main theorems. We start with the simplest case of finite 
prime event structures with binary conflict. 
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Theorem 1. For every finite prime event structure with binary conflict E there is a closed 
recursion-free CCSP expression P such that [[P]] = E. 

Proof. As we are interested in E only up to isomorphism, w.l.o.g. we may assume that 
Ee C Act, i.e. the names of the events can also he used as names of CCSP actions. Let 
E' be the variant of E in which every event is labelled by itself. We first build a CCSP 
expression denoting E' (up to isomorphism), by encoding all events and all elements of 
the conflict and causality relation of E' in terms of CCSP constructions. Subsequently, 
an expression for E is obtained by applying a renaming operator. Let Ee = Wi, 

#E = {(6i,ci), ..., (bm,Cm)} and <e= {(iii,ei), ..., (4,6^)}. Then 



P = Ie 



aill • • • IknlK^l + Ci)|| ■■■\\{bjn+ Cm)||((iiei)|| • • • WidkCk) 



+ OAe- 



Here (e is not only the labelling function of E, but also one of the renaming operators of 
CCSP. Note that the actions bi and q (i = 1, ..., m), as well as dj and Cj (j = 1, ..., k) 
are among the actions m, ..., a„. We have that |a|| (a + 6)]] = |a + 6]] and [[a|| (o6)]] = 
[[6||(a6)]] = [[a&]]. Hence it would suffice to list as oi, ..., a„ only those events not in 
conflict or in any causal relationship with another event. It is routine to check that the 
constructed expression denotes E (up to isomorphism). The term 0^^ is added in case 
the alphabet of E contains actions that do not arise as the label of any event. 

It is interesting to observe that the relational renaming operator is not needed in this proof; 
functional renaming would suffice. The proof above holds for the syntax of CSP - as in 
[3] - as well. The same cannot be done in CCS [12], because there only handshaking 
communication is available. 

Now we pass to the case of finite bundle event structures. 

Theorem 2. For every finite bundle event structure E there is a closed recursion-free 
CCSP expression P such that [[Pj] = E. 

Proof. The proof goes along the same lines as the previous one, except that instead of 
causal links d <e e we now have to encode bundles X i — >^e e. Let X = {di , ..., dh}- 
Then the bundle X i — >^e e is represented by R{de) where d is a fresh action and R is the 
relational renaming {{d, di), {d, d 2 ), ■■■, {d, dh){e, e)}. 

One may wonder to what extent relational renaming is really needed here. For the 
language CCSP as given here it is, because with a straightforward structural induction 
one can check that all bundle event structures that can be denoted by recursion-free 
CCSP expressions with merely functional renaming only have bundles X e in which 
all events in X have the same label. However, there are other process algebraic operators 
that can take over the role of relational renaming. 

Theorem 3. For every finite bundle event structure E there is a closed recursion-free 
expression P in the language from Winskel [i8] such that [[Pj] = E. 

Proof. Winskel’s language does not have relational renaming, but only functional re- 
naming and a restriction operator [. The restriction E[A behaves like E but with its 
events restricted to those with labels which lie in the set A. The parallel composition 
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X in Winskel’s language allows every pair of events to synchronise; if cq is labelled oq 
and Cl is labelled ai the synchronisation event is then labelled (ag, ai). Events need 
not synchronise however; an event eg in the first component that does not synchronise 
with any event of the second will be labelled by (og, *), where og is the label of eg. For 
the rest Winskel’s language is the same as CCSP, but untyped. The parallel operator of 
CCSP can be defined in terms of the operators x , functional renaming and restriction. 
Although in a setting without recursion it is not possible to define CCSP’s relational 
renaming operation in terms of the operations of Winskel’s language, we can, for any 
finite bundle event structure E in which all actions have a different label and any image 
finite relational renaming R, define a context [•] in Winskel’s language that behaves 
like R. In the definition of this context, we use as a derived construct the interleaving 
operator ||| that is given by 

P\\\Q = f{{P X Q) [{(a, *) I a G a{P)} U {(*, b) \ b e a(Q)}), 

where / is a functional renaming that renames each action (a, *) into a, and each action 
(*, 6) into b. Let E and R be as stipulated. Now the context can be defined as 

Cr,e[-] = 5(([-] X (ailll • • ■ ll|an))r^')! 

wherejob | 3e G i?EA?E(e) = aA{a,b) £ R} = {oi, . . .a„},i?' = {(a, 0 {,) | (a,b) G 
i?} and g is the functional renaming that renames each action {a,ab) into b. We claim 
that [[i?(E)]] = |C/j e[E]]] for each bundle event structure E in which all actions have a 
different label and any image finite relational renaming R. Using CR^de{de) instead of 
R{de) in the proof of Theorem 2 now yields the required result. 

In the presence of sequential composition, such as the operator ; in CSP, a bundle 
{(ii, ..., dh} >— >-E e can also be represented as {di + • • • + dh)', e. However, a semantics 
of ; requires the introduction of a special event-label or some other additional struc- 
ture, that helps to distinguish deadlock from successful termination. Arbitrary bundle 
event structures with this additional structure can in general not be represented by CSP 
expressions, at least not with the method employed here. Nevertheless, the construction 
above would work when taking ; to be a sequencing operator [5] that starts its second 
argument as soon as its first argument can perform no further actions. 

Next we turn to infinite bundle event structures. Obviously any bundle event structure 
can be denoted, up to isomorphism, in a variant of CCSP with a suitable infinitary parallel 
composition \\i^iPi. If we stick to the binary versions of || and -|- it is straightforward 
to check that only countable event structures can be denoted (event structures with 
countably many events and only countably many bundles), even in the presence of 
arbitrary large recursive specifications. Thus, the best we can hope for is that every 
countable bundle event structure can be denoted by a CCSP expression. We are not 
sure if this is true; however, it can be established for prime event structures with binary 
conflict. 

Theorem 4. For every countable prime event structure with binary conflict E there is a 
closed CCSP expression P such that [[P]] = E. 
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Proof. Although only the binary parallel composition exists in the syntax, a connt- 
able parallel composition Polls’ll! ’ can be created with infinite unguarded recur- 
sion, namely as where S contains the eqnations where 

= Uj>i ct(Pj), for i G IN. However, the denotational interpretation of such a system 
of equations contains only events whose existence can be proved by unwinding the recur- 
sion a finite number of times . There are for instance no events in [[(X^ |(XA = a||X^))]]. 
Thus, for the generated parallel composition to be useful, we need to reqnire that for 
each a G Aq there is an i with a ^ Ai, i.e. HielSf ~ 

Now let Ee = {tti I i G N}, where the nnmbering is chosen in such a way that 
Qi <E aj ^ i < j. As <E is a partial order in which {d G E \ d <e e} is finite for 
all e G E-e, this is always possible. Then the (possibly infinite) parallel composition 
\\{aj I Qi <E Oj} contains all events that have as a causal predecessor, executed in 
parallel. Hence |ai(|l{aj | <e Oj})]] is the fragment of the desired event structnre 
that contains all causal links starting in a^. Its alphabet is contained in {aj | j > i}. The 
parallel composition of all such event structnres for z G N therefore contains all cansal 
links of E, and satisfies (*). This structure is to be put in parallel with one containing 
all conflicts, constructed in a similar way. As #e is irreflexive and symmetric, we only 
need to implement the conflicts Oi^EOj with i < j. We find that E is denoted by 



P = Ie 



OO 



OO 

T l|{®i I J > * A Cli^EClj}) 



+ 



We leave it as an open problem whether the same can be achieved nsing only finite 
recursive specifications. 

Due to the presence of unconntably many renaming operators, the signatnre of CCSP 
is undecidable. This can be changed by only allowing recursive enumerable renaming 
operators, i.e. operators R C Act x Act for which there exists a Turing machine enu- 
merating all pairs (a,b) G R. Such renaming operators can be represented by the source 
code describing the generating Tnring machine. Codes are finite objects, and it is decid- 
able whether a piece of text is the sonrce code describing such a Turing machine. Now 
define a recursive enumerable version of CCSP, call it CCSP“^ by requiring 

• that Act is a r.e. set and all renaming operators are r.e., 

• that only r.e. subsets of Act are allowed as indices of 0 and the variables. 

• and that recursive specifications S, seen as functions from Vs to the CCSP expres- 
sions, should be primitive recursive, with Vs a primitive decidable set. 

This makes the signature of the language decidable. The primitive recursive requirement 
on S even makes it decidable whether a variable in a CCSP*^ ®' expression is free [4]. 
Now we have the following recursive enumerable version of Theorem 4: 



Theorem 5. Let Ebe a prime event structure with binary conflict such that Ee, Ae, <e. 
Ae are recursive enumerable sets, Ie is a recursive function, and there is an algorithm 
that for every event returns the finite set of its causal predecessors. Then there is a closed 
CCSP'^ expression P such that [[P]] = E. 
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4 Denoting Stable Event Structures with Binary Conflict in CCSP 

In this section we infer from Theorem 4 that up to hereditary history preserving hisimula- 
tion equivalence any countable stable event structure with binary conflict can be denoted 
by a closed CCSP expression. 

Definition 8. Two stable event structures E and F are history preserving bisimulation 
equivalent (E F) iff A~e = Ap and there exists a relation R C C'(E) x C'(F) x 
'P{E'e X Ep) - called a history preserving bisimulation - such that (0, 0, 0) G i? and 
whenever {x,y, f) G R then 

• / is an isomorphism between (x, <x,Ir I'a^) and {y, <y, Ip I'y), 

• xCx' G C(E) ^ 3y', f with yCy'G C(F), (x', y' , f) G R and f [x=f, 

• y C J/' G C(F) ^ 3x',f withx c x' G C(E), (x', y', /') Gi? and /lx=/. 

The bisimulation and the equivalence are hereditary (Eiit/t/i F) if moreover 

• xAx'G C(E) ^ 3y\ f with y 2 y' G C(F), (x', y' , f) G R and f=fW, 

• y2y' G C'(F) ^ 3x', /' with xAx' G C(E), (x', y' , f) G R and f=f\x'. 

R functional if i? = {(x, /(x), / ^x) | x G C(E)} for a function /: Ep — >• Ep. 

Note that a functional bisimulation is always hereditary. Moreover, when checking that 
a function / : Ep -G Ep induces an history preserving bisimulation, the second require- 
ment is trivially fulfilled. Joyal, Nielsen & Winskel [10] characterised a functional 
history preserving bisimulation as a categorical construction called open map. 

Definition 8 also applies when E and F are prime or bundle event structures, or 
when one of them is prime and the other is stable. We now show that every (countable) 
stable event structure with binary conflict is hereditary history preserving bisimulation 
equivalent with a (countable) prime event structure with binary conflict. 

Definition 9. Given a stable event structure E = (E, A,l) with binary conflict, 
the associated prime event structure E' = {E' , <, , A, V) is given by 

• E' = {cx \ e G X G C(E) and x is a minimal configuration containing e}, 

• dx <6y ijfx C y, 

• dxfl'cy iffE has no configuration containing both x and y, 

• l'{ex) = /(e). 

E' is obviously a prime event structure with binary conflict, and if E is countable, then 
so is E'. Moreover, it is not too hard to check that the function f : E' ^ E given 
by f{ex) = e for e G E' induces a history preserving bisimulation. Therefore, any 
(countable) stable event structure with binary conflict is hereditary history preserving 
bisimulation equivalent with a (countable) prime event structure with binary conflict. 
This result also follows from the category theoretic results in [10]. In view of this. 
Theorem 4 implies 

Theorem 6. For every countable stable event structure with binary conflict E there is a 
closed CCSP expression P such that [[P]] E. 
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5 Arbitrary Conflict Reduces to Binary Conflict 

In [ 17 ] event structures of the form (i 7 , Con, appear, in which the predicate Con 

of Definition 4 is explicitly given rather then generated by a binary conflict relation. It 
is postulated that Con is a downwards closed nonempty set of finite sets of events. 
The configurations of such event structures and the causality relations on them are 
determined exactly as in Definition 5 . Note that Con can equivalently be represented by 
its complement: an upwards closed set Confl of finite nonempty sets of events. Another 
equivalent representation is in terms of the minimal members of Confl: a collection # 
of finite nonempty sets of events, such that there are no two different 7, 7' G # with 
7 C 7'. Now a finite set x is consistent or conflict-free if 7 C x for no 7 G In this 
representation event structures with a binary conflict relation are literally a special case 
of the ones with arbitrary conflict relations. Statement 7 G # means that the events in 7 
cannot all happen in the same run. It does not place a restriction on proper subsets of 7. 

In this section we show that every (countable) stable event structure is history preserv- 
ing bisimulation equivalent to a (countable) prime event structure with binary conflict. 
For finite prime event structures this theorem was claimed by us in [8] . The generalisation 
to infinite event structures was reported in [6] . The same theorem has been discovered 
independently by Nielsen & Winskel [ 14 ], where the first published proof can be 
found. Although our proof is based on the same idea as the one of [ 14 ], it is somewhat 
shorter and more constructive. 

Definition 10 . Let E be a countable event structure with arbitrary conflict. For e G Ee 
let ffe be the set of conflicts involving e: ffe = {7 G #e | e G 7}. Define the event 
structure 2 (E) by 

• -E'2(e) = {(e,t) |cGEe, t: #e— with t recursive andV7G#e: ^(7) < ItI — 1} 

• ^2(E) = ^E and;2(E)(e,f) = /E(e) 

• #2(E) = {((e, t), (e', t')) I (e = e' A f ^ f) V (e e' A 37 G #e : f( 7 ) = ^'(t))} 

• '-^2(E)= {( 2 (A:), (e, t)) I a: h>e e} in which 2{X) = {{e,t) | e G AT} 

• l~2(E)= {{X, (e, t)) I 7Ti(A:) h e} in which 7 Ti(X) = {e G Ee | 3 f : (e, t) G X}. 

The idea behind this definition is the following: every member 7 of the conflict relation 
on E has I7I elements, of which only I7I — 1 can be executed. This can be modelled as an 
allocation of I7I — 1 seats to I7I events. Let us number these seats from 0 to I7I — 2 . The 
event that is last in grabbing a seat can not happen. In general an event can occur in many 
elements 7 of #e, namely the ones in ffe- In order to happen it has to grab a seat for 
each of these 7’s. Now 2 (E) is an event structure where this abstract notion of conflict 
has been implemented on a more down-to-earth level. The new events are allocations 
of old events to seats. To be precise, they are pairs (e, t), where e is the name of the 
source event and t a function that for every competition 7 G #e in which e participates 
selects a seat ^(7) < I7I — 1 . In [ 14 ] a pair (e, t) is called an event with a twist, hence 
the choice of the letter t. Now the new events, which are old events allocated to seats, 
inherit their labelling and their causal dependencies from their source events. The causal 
dependencies are implemented by 1— >^2E or I-2e, depending on whether the original event 
structure was a bundle, or a general one. Compare these definitions with the relational 
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renaming operator in Sect. 2. The conflict relation on 2(E) is binary. The first set of 
conflicts ensures that an event can occur with only one allocation to seats in the various 
conflicts. The second set, that no two events are assigned the same seat in any particular 
conflict. This implements the abstract notion of conflict in E. 

When an event e' occurs is does not really matter which seats it chooses in the various 
conflicts it participates in, as long as these seats are not yet taken by other events. For each 
event e that happened already, the chosen seats are given by the function t it happened 
with. Now e' has to choose an allocation function t' that is different from t in each 
conflict that involves both e' and e. In order to make such a choice in a computationally 
respectful way, we assume that all allocation functions of events that happened previously 
are recursive. When e is about to happen, it can then calculate which seats are still free 
and choose a function that is recursive as well. (A function t : ^ ^ isi recursive if 

there is a partial recursive function t' : Vfin{E-^) — >■ IN with t = t' a total function. 
There is no need to assume that is a decidable set.) The resulting requirement in 
Definition 10 that all functions t should be recursive, ensures that 2(E) is still countable. 
Without the recursiveness requirement this would not be the case. 

Theorem 7. Let ^be a countable stable event structure. Then 2(E) is a countable stable 
event structure with binary conflict and the function f : 2(E) — >■ E given by f{e, t) = e 
induces a history preserving bisimulation. Hence 2(Ei)i^hh E- 

Proof. As (e, f)# 2 (E) (e, t') for t t', it follows immediately that / (x is injective for 
every configuration x. Now suppose /(x) contains a conflict 7 G #e- Then in x there 
must be events {(ci, ti) | G 7 } with f(ej) < I 7 I — 1. Hence two of these events must 
be in conflict, contradicting that x is a configuration. If follows that /(x) is conflict- 
free. It is immediate from the definition of 1— >-2(e) resp. I-2e that if (ei, fi), ..., (e„, f„) 
secures x in 2(E) then ei, ..., e„ secures /(x). Hence x is a configuration of E. It is also 
immediate from the definition of 1 — >^ 2 (e) resp. I- 2 e that / preserves and labelling. 

Now suppose X € C(2(E)) and /(x) Q y' G C'(E). We need to show that there 
is an x' G C(2(E)) with x C x' and f(x') = y' . By induction on |j/'| it suffices to 
restrict attention to the case that there is exactly one event in y' — /(x), call it e. As 
y' is conflict-free, for every 7 G we have that I 7 fl /(x)| < I 7 I — 2. Hence there 
exists a recursive f : — >■ IN satisfying, for all 7 G #e, t{l) < ItI ~ 1 and for no 

(e', t') G x: t'{y) = t{y). It follows that x' x U {(e, f)} is conflict-free. Moreover, 
any securing (ci, fi), ..., (e„, f„) of x can be extended with (e, t) into a securing of x'. 
This follows because ei, ..., e„, e is a securing of y' , using the definition of 1— >-2(e) resp. 
I- 2 E- Thus x' G C(2(E)), which had to be proved. The other requirement for / inducing 
a history-preserving bisimulation is trivial. 

By combining this insight with Theorem 6 it follows immediately that up to hereditary 
history preserving bisimulation equivalence all countable stable event structures with 
arbitrary conflicts are expressible in CCSP. 



Acknowledgement. Thanks to Rom Langerak for valuable feedback. 
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Syntactic Formats for Free 

An Abstract Approach to Process Equivalence 
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Abstract. A framework of Plotkin and Turi’s, originally aimed at provi- 
ding an abstract notion of bisimulation, is modified to cover other opera- 
tional equivalences and preorders. Combined with bialgebraic methods, 
it yields a technique for the derivation of syntactic formats for transi- 
tion system specihcations which guarantee operational preorders to be 
precongruences. The technique is applied to the trace preorder, the com- 
pleted trace preorder and the failures preorder. In the latter two cases, 
new syntactic formats ensuring precongruence properties are introduced. 



1 Introduction 

Structural operational semantics [18,2] is one of the most fundamental frame- 
works for providing a precise interpretation of programming and specification 
languages. It is usually presented as a labelled transition system (LTS), in which 
states (sometimes called processes) are closed terms over some syntactic signa- 
ture, and transitions are labelled with elements of some fixed set of actions. The 
transition relation is in turn specified by a set of derivation rules. 

Many operational equivalences and preorders have been defined on processes. 
Among these are: bisimulation equivalence [17], simulation preorder, trace preor- 
der, completed trace preorder, failures preorder [13,21] and many others (for a 
comprehensive list see [10]). In the case of processes without internal actions, all 
of the above have been given modal characterisations [10]. 

Reasoning about operational equivalences and preorders is significantly easier 
when they are congruences (resp. precongruences). This facilitates compositional 
reasoning and full substitutivity. In general, operational equivalences (preorders) 
are not necessarily congruences (resp. precongruences) on processes defined by 
operational rules. Proofs of such congruence results for given transition system 
specifications can be quite demanding. 

One way to ensure congruential properties is to impose syntactic restrictions 
(syntactic formats) on operational rules. Many such formats have been deve- 
loped. For bisimulation equivalence, the examples are: de Simone format [23], 
GSOS [8], and ntyft/ntyxt [11]. For trace equivalence, examples include [27,5], 
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while decorated trace preorders have been provided with formats in [6]. For an 
overview of the subject see [2]. 

The search for an abstract theory of bisimulation and ’well-behaved’ opera- 
tional semantics has led to development of final coalgebra semantics [22], and 
bialgebraic semantics [25,26] of processes. In these frameworks, the notion of 
a transition system is parametrised by a notion of behaviour. Bisimulation is 
modelled abstractly as a span of coalgebra morphisms. 

In [25,26] it was shown how to define operational rules on an abstract level, 
guaranteeing bisimulation equivalence (defined abstractly, using spans of coalge- 
bra morphisms) to be a congruence. At the core of this so-called abstract GSOS 
is the modelling of a transition system specification as a natural transformation 

A : S{idxB) BT 

where B is the syntactic endofunctor, T is the monad freely generated from 
A7, and B is some behaviour endofunctor. In the special case of the behaviour 
endofunctor Vi{A x — ), the abstract operational rules specialise to GSOS rules. 

The abstract framework which defines bisimulation as a span of coalgebra 
morphisms is not sufficient for certain purposes [19]. Recently, another abstract 
notion of bisimulation, based on topologies (or complete boolean algebras) of 
tests, has been proposed [20,24]. 

In this paper we show that the latter abstract definition of bisimulation 
can be modified in a structured manner, to yield other known equivalences and 
preorders. We illustrate this approach on trace, completed trace and failures 
preorders. This constitutes a systematic approach to operational preorders, such 
as those based on testing scenarios [10], modal logics [10], and quantales [1]. 

Although the framework is general, in this paper we shall concentrate on 
the category of sets and functions. Set. We define the test-suite fibration with 
total category Set* having as objects pairs consisting of a set X and a test 
suite (a subset of VX) over X. We lift the abstract-GSOS framework to Set* 
by describing how to lift the syntactic functor B and the behaviour functor B. 
By changing how B lifts to Set* we alter the specialisation preorder of certain 
test suites in Set*. In particular, taking liftings which strongly resemble frag- 
ments of the Hennessy-Milner logic [12] causes the specialisation preorder to 
vary between known operational preorders. The abstract framework guarantees 
precongruence properties. The only hurdle is proving that a particular transition 
system specification (natural transformation) A lifts to a natural transformation 
in Set*: 



A : r*(idxB*) ^ B*T*. 

The consideration of which properties A must satisfy in order to lift provides us 
with syntactic sub-formats of GSOS which guarantee precongruence properties 
for various operational preorders. 

In this paper, we illustrate this approach by presenting precongruence for- 
mats for the trace preorder, the completed trace preorder and the failures preor- 
der. The format derived for the trace preorder coincides with the well known de 
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Simone format [27]. The format derived for the completed trace preorder is, to 
the best of our knowledge, the first such format published. The format derived 
for the failures preorder is incomparable with the analogous format given in [6] . 

The structure of the paper is as follows. After §2 of preliminaries, we present 
the three obtained syntactic formats in §3, together with some examples and 
counterexamples from literature. The remaining sections are devoted to proving 
that the presented formats are indeed precongruence formats w.r.t. their res- 
pective preorders, and at the same time to illustrating the method of deriving 
such formats from a given operational preorder. In §4, we recall the basics of 
bialgebraic semantics. In §5, we present an abstract approach to operational 
preorders based on the notion of a test suite. In §6, this approach is merged with 
the bialgebraic framework to yield a general way of checking whether a given 
operational preorder is a congruence for a given transition system specification. 
Finally, in §7, we show that the formats presented in §3 ensure the respective 
precongruence results. We conclude in §8 by showing possible directions of fu- 
ture work. Due to lack of space, most proofs are left to the full version of this 
paper [15]. 

Acknowledgements. Most of the contents of §5 and §6 is a modified version 
of the framework developed (and, unfortunately, not yet published) by Gordon 
Plotkin [20] and Daniele Turi [24]. Thanks also goes to Mikkel Nygaard for 
reading the paper and providing us with many valuable comments. The first 
author is also grateful to Daniele Turi for introducing him to the subject and 
for inspiration, and to Gordon Plotkin for discussions and encouragement. 



2 Preliminaries 

A labelled transition system (LTS) is a set P of processes, a set A of actions, and 
a transition relation — ► C P x Ax P. As usual, we write p ° ► p' instead of 
{p,a,p') G — ► . An LTS is finitely branching, if for every process p there are 
only finitely many transitions p ► p' . 

Given a set of actions A, three sets of modal formulae and T^\ are 

given by the following BNF grammars: 

(/.::= T i (a) </> v.= P \ (a) \ A <(.::= T ] (a) </>] Q 

where a ranges over A, and Q ranges over subsets of A. Formulae in are 
called traces over A. Formulae in Tcir ended with A are called completed traces, 
and formulae in iFpi — failures. 

Given an LTS, the satisfaction relation \= between processes and modal for- 
mulae is defined inductively as follows: 



phT 
p ]= (a) if 

p\= Q 



p' \= (f) for some p' such that p ° ► p' 
there is no a G Q, p' G P such that p ° ► p' 
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Then three operational preorders on the set of processes are defined: the trace 
preorder Cjn the completed trace preorder EcTr, and the failures preorder Cpi: 

P Ew p' (V^ G IFw-P h 4> p' h 4>) 

where W G {Tr, CTr, FI}. 

In the context of structural operational semantics, processes are usually clo- 
sed terms over some signature. A signature A is a set (also denoted S) of language 
constructs, together with an arity function or : A — >■ N. For a given set X of 
variables, XX is the set of expressions of the form f (a;i, . . . , Xar(i)), where f G A 
and Xi G X. Given a signature X and a set X, the set T^:X of terms over X 
with variables X is (isomorphic to) the least fixpoint of the operator 

<PY = X + XY 

where + denotes disjoint union of sets. When describing terms from T^X the 
injections ti : A — >• T^X and L 2 ■ XT^X — >• T^X will often be omitted, i.e., we 
will write i{x,y) rather than i 2 (f (ti(a;), ii(y))). Also the subscript in T^X will 
be omitted if X is irrelevant or clear from the context. Elements of T0 are called 
closed terms over X. 

For a term t G TX and a function a : X ^ Y, t[a] will denote the term in 
TY resulting from t by simultaneously replacing every x G X with a{x). 

In the following, we assume a fixed, infinite set of variables X , ranged over 
by xi, X2, . . . , yi, Y2 j • ■ • • Terms with variables from X will be typeset t, t', etc. 

Let us fix an arbitrary set of labels A. For a signature X, a positive X -literal 
is an expression t ► t', and a negative X-literal is an expression t where 
t, t' G TX and a G A. A transition rule p over X is an expression where H is 
a set of A-literals and a is a positive A-literal. Elements of H are called premises 
of p, and Oi — the conclusion of p. The left-hand side and the right-hand side 
of the conclusion of p are called the source and the target of p, respectively. A 
transition system specification over A is a set of transition rules over X. 

Similarly, a X -semiliteral is either a negative A-literal, or an expression 
t ► , where t G TX and a G A. A positive literal t ° ► t' completes the 
semiliteral t ° ► , and we say that a negative literal completes itself. 

In the following definition assume a fixed signature X, and a finite set A. 

Format 1 (GSOS). A transition system specification R is in GSOS [8] format 
if every rule p G i? is of the form 

I Xi : i < n, j < TOi I U I Xi : i < n, k < 

f(xi,...,x„) -^t 

with f G A and n = ar(f), such that Xi G X and jij G X are all distinct and are 
the only variables that occur in p. In the following, we will consider only image 
finite GSOS specifications, i.e. those with finitely many rules for each construct 
f G A and action c G A. 
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Given a transition system specification R in GSOS format, one defines a 
notion of a provable positive literal in a straightforward way. The set of all 
provable literals forms a finitely branching LTS with closed terms over S as 
processes, and with positive closed literals as transitions (for details, see [2]). 

An operational preorder C is a precongruence with respect to a transition 
system specification R, if in the LTS induced by R, for each f G E with arity n, 
if ti E f'l, ■ • ■ ,tnQ then f(G, . . . ,t„) E . . . ,4). 

The examples in §3 are based on basic process algebra BPA. Assuming a 
finite set A of actions, its syntax E is defined by the BNF grammar t ::= 0 | at | 
t+t and the transition system specification BPA over A is a collection of rules 

cx ^ / OL ^ / 

X ► X y ► y 

ax ► X X + y ► x' x + y ► y' 

where a ranges over A. When presenting terms over the above syntax, the trailing 
O’s will be omitted. It is easy to see that BPA is in the GSOS format. 

3 Precongruence Formats 

In this section we introduce the syntactic formats derived using the framework 
described in the latter parts of the paper. The precongruence properties of these 
formats are formally stated in §7. 

Format 2 (Tr- format). A set of GSOS rules R is in Tr -format, if for each 
p G R, all premises of p are positive, and no variable occurs more than once in 
the left-hand sides of premises and in the target of p. 

It is easy to see that this format coincides with the well-known de Simone 
format [23] . The fact that this syntactic format ensures the trace preorder to be 
a precongruence was first proved in [27]. 

We proceed to define an analogous syntactic format for the completed trace 
preorder. 

Definition 1 (CTr-testing set). A CTr-testing set P over a set of variables 
{xi, ... , x„} is a set of semiliterals of the form 

P = {xi : z G / } U { Xi -2->- : i G J,a G A} 

where /, J C {1, . . . , n}. 

Format 3 (CTr-format). A set of GSOS rules R is in CTr-format, if 
1 . For each rule p G R: 

— if p has a negative premise x “/ ►, than for every label b G A, p has also 
the negative premise x , 

~ no variable occurs more than once in the target of p, 
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— no variable occurs simultaneously in the left-hand side of a premise and 
in the target of p, 

— no variable occurs simultaneously in the left-hand side of a positive pre- 
mise and in the left-hand side of any other premise of p. 

2. For each construct ,x„) of the language, there exists a sequence 

Pi, . . . , Pfe of CTr-testing sets over {xi, . . . , x„}, such that 
— For every (possibly renamed) rule p G R with source f (xi, ... , x„) there 
exists a sequence pi,. . .pk of semiliterals from Pi , . . . , Pfc respectively, 
such that for every i G {1, . . . , k} there exists a premise r of p such that 
r completes pi. 

— For every sequence pi, ■ ■ . ,Pk of semiliterals from Pi , . . . , Pfc respec- 
tively, there exists a (possibly renamed) rule p G R with source 
f(xi,... ,x„) such that for each premise r of p there exists an i G 
{!,... ,k} such that r completes pi. 



Proposition 2. BPA is in CTr-format. □ 

The following example is taken from [2]. Assume A = {a, 6}, and extend 
BPA with an operational rule for the so-called encapsulation operator 

9{6}(x) ^5{b}(y) 

Then it is easy to check that aa + ab ~cTr a(a + b) but that + o^b) ^cTr 

dyy{a{a + b)). 

Another example of an operational construct that is not well behaved with 
respect to completed traces is the synchronous composition, as shown in [27]. 
Here, we add the rules 

^ / ex ^ / 

X ► X y ► y 

X X y x' X y' 

where a ranges over A = {a, b}. Here it is easy to see that aa x {aa + ab) ^cTr 
aa X a{a + b). 

These two examples have led the authors of [2] to speculate that one cannot 
hope for a general syntactic congruence format for completed trace equivalence. 

Proposition 3. The semantics for the encapsulation operator d and the syn- 
chronous composition x are not in CTr-format. □ 



For a non-trivial example of a transition system specification in CTr-format, 
extend BPA with sequential composition, defined by rules 



X 

x;y 




for all a G A y y' 



x;y 



->y' 



where a ranges over A. 
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Proposition 4. BPA extended with sequential composition is in CTr-format. 

□ 

We proceed to define a precongruence syntactic format for the failures preor- 
der. 

Definition 5 (FI-testing set). An f\-testing set P over a set of variables 
{xi, ... , x„} is a set of semiliterals of the form 

P = { Xi °‘'/ > : i G / } U I Xi ■ 1 < i < n, 1 < j < rui I 

(where I C {1, . . . , n}, nii G N), such that for any labels a,b G A, if x^ ° ► G P 
and Xi G P then Xi ^ ► G P. 

Format 4 (Failures Format). A set of GSOS rules R is in f\-format, if 

1 . For each rule p G R: 

— no variable occurs more than once in the target of p, 

— no variable occurs simultaneously in the left-hand side of a premise and 
in the target of p, 

— no variable occurs simultaneously in the left-hand side of a positive pre- 
mise and in the left-hand side of any other premise of p. 

2. For each construct f(xi, . . . ,x„) of the language, and for each set of labels 
Q G- A, there exists a sequence Pi,. . . , Pfc of FI-testing sets over {xi, ... , x„}, 
such that 

~ For every (possibly renamed) rule p G R with the conclusion of the 
form f(xi, . . . ,x„) ° ► t with a G Q and an arbitrary t, there exists 
a sequence pi, . ■ ■ ,Pk of semiliterals from P\, . . . ,Pk respectively, such 
that for every i G {!,.•. ,k} there exists a premise r of p such that r 
completes Pi. 

— For every sequence pi, ■ ■ ■ ,Pk of semiliterals from Pi, . . . ,Pk respec- 
tively, there exist a label a G Q, a, term t, and a (possibly renamed) 
rule p G R with the conclusion f(xi, . . . ,x„) ° ► t such that for each 
premise r of p there exists an i G {1, . . . , fc} such that r completes Pi. 



Proposition 6. BPA is in Fl-format. □ 

In [7] it was shown that the failures preorder is not a precongruence for BPA 
extended with sequential composition. 

Proposition 7. If A contains at least two different labels a, b, then BPA ex- 
tended with sequential composition is not in Fl-format. □ 

The Fl-format excludes many examples of transition system specifications 
that behave well with respect to the failures preorder. Many of these examples are 
covered by the ‘failure trace format’ introduced in [6]. However, the latter format 
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excludes also some examples covered by Fl-format. Indeed, assume a,b G A and 
extend BPA with two unary constructs g, h and rules (where a ranges over A) 

X ^ x' X ^ 

g(x)-^h(x') h(x)-^0 

Proposition 8. BPA extended with g and h as above, is in Fl-format. □ 

However, the rules above are not in the ‘failure trace format’ proposed in [6]. 
This means that Fl-format is incomparable with that format. 

4 An Abstract Approach 

In this section we shall recall the foundations needed for the framework described 
in §5 and §6. First, we briefly recall how LTS can be described as coalgebras for 
a specific behaviour endofunctor and briefly recall final coalgebra semantics. We 
then proceed to recall several notions from the abstract approach to operational 
semantics of Plotkin and Turi [26] . 

In the following, V : Set — >■ Set will denote the (covariant) powerset functor. 
The (covariant) finite powerset functor Vf : Set — >■ Set takes a set to the set of 
its finite subsets. The reader is referred to [16] for any unexplained categorical 
notation used henceforward. 

There is a bijection between the set of finitely branching LTS over a fixed set 
of actions A and the coalgebras of the functor Vt{A x — ). Indeed, given an LTS 
{P,A, ►) let 

h: Vt{A X P) 

be deflned by h{p) = { {a,p') : p ° ► p' }. 

The functor PfiA x — ) has a final coalgebra (p : S ^ Pi{A x S). The carrier 

5 of this coalgebra may be described as the set of synchronisation trees with 
edges having labels from A, quotiented by bisimulation [4,25]. 

In the following we specialise the framework of [26] to the category Set and 
behaviour functor PfiA x — ). Any syntactic signature S determines a so-called 
syntactic endofunctor S : Set — >■ Set which acts on sets by sending 

SX=\[ (1) 

fei: 

and the action on functions is the obvious one. The functor S freely generates 
a monad {T,p,ri) : Set — > Set. It turns out that TX is (isomorphic to) the set 
of all terms over S with variables from X. 

Theorem 9 ([26]). There is a correspondence between sets of rules in the 
GSOS format (Format 1) and natural transformations 

A : r(id xPfiA X -)) ^ Pi{A X T-) 

Moreover, the correspondence is 1-1 up to equivalence of sets of rules. □ 
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Assume a natural transformation A : A(id x_B) — >■ BT. A X-model is a pair 

SX A X A- BX 

such that goh = Bh}o\xoX (id,g), {h^ : TX — >■ A is the inductive extension of 

h). A A-model morphism between XX A X A BX and XX' -A X' A BX' 
is a morphism f : X X' which is simultaneously a A-algebra morphism and 
a B-coalgebra morphism, ie. h' o Xf = g o h and g' o f = Bf o g. Let A-Mod 
denote the category of A-models and A-model morphisms. 

Theorem 10 ([26]). Suppose that C is a category, X is an endofunctor which 
freely generates a monad T and B is an endofunctor which cofreely generates a 
comonad D. Then the following hold: 

1. A-Mod has an initial and final object, 

2. the carrier and algebra part of the initial A-model is the initial A7-algebra, 

3. the carrier and coalgebra part of the final A-model is the final il-coalgebra, 

4. the coalgebra part of the initial A-model is the so-called intended operational 

model of A. □ 

In particular, if C = Set and B = Vf{A X -). then the intended operational 
model of A is the LTS generated by the GSOS rules associated to A. 

5 Process Equivalences from Fibred Functors 

In this section, we introduce the central concept of a test suite fibration. This is 
a modification of the yet unpublished framework [20,24] due to Plotkin and Turi. 
In that approach, the test suites (Definition II) are necessarily topologies, that is, 
they satisfy certain closure properties. We relax this definition and require only 
that a test suite contains the largest test. This modification allows us to consider 
operational preorders and equivalences different from bisimulation. Also, the 
original framework was developed largely for Cppo-enriched categories, here we 
deal primarily with Set. 

We define 2 = {tt,ff}. Given a function f : X ^ Y and subsets V C 
X, V C Y, we shall use f{V) to denote the set {y €Y : 3x G V. fx = y} 
and similarly f~^{V) to denote {x G X : fx GV'}. Given a set t C VX, the 
specialisation preorder of t is defined by 

X <T x' iff Vy Gt.xGV^x'gV 

For an introduction to fibrations and related terminology, the reader is re- 
ferred to the first chapter of [14]. 

Definition 11 (Test suite). A test on a set A is a function V : A — >■ 2. We say 
that an element x passes a test V iff Gx = tt. A test suite on A is a collection 
of tests on A which includes the maximal test, that is, the function constant at 
tt. Let A* denote the poset of test suites on A ordered by inclusion. 
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We can define a functor (— )* : Set°P — >■ Pos which sends a set to the poset 
of test suites X* and sends a function f : X ^ Y to f* : Y* ^ X* defined by 

f*r' = {V'of : V'€t’}. 

Intuitively, we think of tests on X as subsets of X. Then f* is the pre-image 
operation, taking each test on Y to the test on X which maps to Y via /. 

Definition 12 (Test suite fibration). A fibration of test suites for (— )* is the 
fibration obtained using the Grothendieck construction, ie. the total category 
Set* has 

— objects: pairs (X,t) where X G Set and r G X*, r is a test suite. 

— arrows: {X,t) {X',t') iS f : X ^ X' and f*r' C r. 

It is then standard that the obvious forgetful functor U : Set* — >■ Set taking 
{X, t) to X is a fibration. 

It will be useful to define various operations on test suites t. Letting 

V : 2 + 2 — >■ 2 be the codiagonal and A : 2 x 2 — >■ 2 be logical-and, we let 

t®t' = {V o{V + V) : V €t,V €t'} 

T(g)T' = {Ao(y X V') : V G T,V G t' } 

r[xir' = {IAo7ri : PGT}U{y'o7r2 : V' G t'} . 

It is easy to check that given two test suites, families r © r', t ®t' and r N r' 

are test suites. Intuitively, given test suites r and r' on X and Y, t © r' is 

the test suite oxi X + Y obtained by taking (disjoint) unions of tests from r on 
X and r' on T, t © t' is the test suite on X x T consisting of tests built by 
performing a test from t on X and simultaneously performing a test from t' on 

Y and accepting when both tests accept; finally, r M r' is the test on X x T 
which consists of either a test from r on X or a test from t' on Y . 

Proposition 13. The category Set* has coproducts and products: 

(X,r) + (r,r') = (X + y,r©r') 

(X, r) X (r, t') = (X X X, r N t') 

Let B : Set — >■ Set be some behaviour endofunctor. A lifting of B to Set* 
is an endofunctor B* : Set* — >■ Set* such that, for some Bx '■ X* -G (BX)* we 
have B* (X, r) = {BX, Bxt) and B* f = Bf. It turns out that there are many 
possible choices for Bx giving different liftings of B to Set*. One systematic way 
to construct such liftings is via families of functions from B2 to 2. Intuitively, 
such functions correspond to modalities like those in the Hennessy-Milner logic. 
In the original framework due to Plotkin and Turi [20,24] the canonical choice 
of all functions from B2 to 2 is taken. 

For any X, let Clx : WX — >■ X* denote a closure operator. We shall only 
demand that for all / : X — >■ X and Z C VY we have G\x f* Z = f* Gly Z 
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(with the obvious extension of the domain of f* from Y* to WY). Intuitively, 
a closure operator corresponds to a set of propositional connectives. 

Given an arbitrary family W of functions B2 — >■ 2, we define an operator 
: X* — >■ {BX)* as follows: 

= CIbx {wo BV : w G W and V G t} . 

We are now in a position to construct a lifting of B to Set*. Indeed, we let 
B^ (X,t) = (BX,B^t') and B^ f = Bf. It turns out that this defines an 
endofunctor B^ on Set*. 

Theorem 14. Suppose that B : Set — >■ Set has a final coalgebra ip : S ^ BS. 
Then ip : (S', -G {BS, B'g is a final B'^ coalgebra where is the 

least fixpoint of the operator •P{t) = p*B^g t on S*. □ 

Suppose that B : Set — >■ Set lifts to a functor B^ : Set* — >■ Set* with B'^ 
defined as before. 



Theorem 15. Take any coalgebra h : X ^ BX, and let /c : X — >■ S be the 
unique coalgebra morphism from h to the final B-coalgebra. Then k* M (where 
(S, M) is the carrier of the final H'^-coalgebra) is the least test suite r on X 
such that h : {X, r) -G {BX, B^t) is a morphism in Set*. □ 

From now on we shall assume a finite set of labels A and confine our attention 
to the endofunctor BX = Vt{A x X) on Set. 

Assuming a G A and Q Q A, let W(^a),WrQ ■ B2 — >■ 2 denote the functions 



W(a)X = 




if (a, tt) G X 

WtqX 

otherwise. 



tt if Va G Q'iv G 2. (a, v) ^ X 
ff otherwise. 



We shall now define three subsets of maps B2 — >■ 2: 

Tr = { W(^a) ■ a G A} CTr = Tr U {wrA} FI = Tr U { WrQ : Q C A } 

The set Tr together with the closure operator Clx(r) = rU {A}, determines 
BJI for any X and therefore determines a lifting of B to : Set* — >■ Set*. 
Similarly, CTr with Cl^ and and FI with Cl^ determine liftings B^^'^ and B^' 
respectively. 

The following Theorems 16-18 show that the specialisation preorders in the 
final B^\ B^-^' and -coalgebras coincide with the trace, the completed trace 
and the failures preorders. We use these facts to prove Theorem 19 which states 
that given any h : X ^ Pf{A x X), the specialisation preorders on certain test 
suites on X coincide with these operational preorders. 

Theorems 16—18. In the final U'^-coalgebra, the specialization preorder 
coincides with where IT G {Tr, CTr, FI}. 

Theorem 19. Suppose that h : X ^ V{{A x A) is a coalgebra (LTS), p : S ^ 
BS is the final B-coalgebra and that k : X ^ S is the unique morphism given 
by finality. Then x x' if and only if x Evv x' , where IT G |Tr,CTr,FI} 

and {S,M^'j is the carrier of the final i?^-coalgebra. □ 
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6 Application: Congruence Formats from Bialgebras 

To lift the bialgebraic framework to the total category Set*, we need a way to 
lift the syntactic and the behaviour functors together with the natural trans- 
formation A. Various ways to lift the behaviour B were shown in the previous 
section, now we proceed to show a lifting of the syntactic functor. 

Given a syntactic endofunctor E on Set defined as in Eq. (1), define an 
endofunctor E* on Set*: E* {X,t) = {EX, Ext), where 

= 01 "^ 



n times 

where Cl^ is closure under arbitrary unions, and denotes r 0 r 0 • • • 0 r. 
On arrows, given / : (X,t) — >■ {X',t'), we define simply E* f = Ef. It turns 
out that E* defined this way is an endofunctor on Set*. 

Theorem 20. Suppose that an endofunctor F lifts to a endofunctor F* , and 
has an initial algebra tp '■ Then ip : {FN, F^P) — >■ {N, P) is the initial 

F* algebra where P is the greatest fixpoint of the operator 'f'(r) = Fxt. 

Corollary 21. For any syntactic endofunctor E, the functor E* freely generates 
a monad T* that lifts the monad T freely generated by E. □ 

A similar corollary about a behaviour cofreely generating a comonad 
can be drawn from Theorem 14. These two corollaries allow us to apply 
Theorem 10 for the category Set* and endofunctors E* and B'^ . 

The following theorem is a crucial property of the endofunctor E* . Indeed, 
varying the definition of E* in our framework would lead to definition of various 
precongruence formats, but only as long as the following property holds. 

Theorem 22. For any A*-algebra h : {EX, Ext) — >■ {X,t), the specialisation 
preorder <t is a precongruence on h : EX X . □ 

We now have the technology needed to prove the main result of this section. 
Consider a natural transformation A : I7(id xi?) — >■ BT. By Theorem 10, the 
coalgebraic part of the initial A-model has N = Tit) as its carrier, and it is the 
intended operational model of A. If B = Pi{Ax — ), then the intended operational 
model is the LTS generated by GSOS rules associated to A. Let k : N ^ S he 
the final coalgebra morphism from the intended operational model to the final 
B-coalgebra. Assume B lifts to some B* as before, and let (S', M) be the carrier 
of the final B*-coalgebra. 

Theorem 23. If A lifts to a natural transformation in the total category: 

A: E*{idxB*) ^ B*T*. 

then the specialisation preorder on k*M is a precongruence on N. 
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Proof. (Sketch) In diagram (i) below, the left column is the initial A-model while 
the right column is the final A-model; the A-model morphism k is the unique 
morphism making both squares commutative. 



r* {N, P) E* {S, M) 
tp s 

(N,P) 

e ^ 

{N, P) {S, M) 



S* {N, k*M) 17* (S', M) 

Ip s 

{N,k*M) >{S,M) 

e ^ 

B^ {N, k^M) B^ {S, M) 



(i) (ii) 

Our goal is to show that (ii) above a diagram in Set*. If all the morphisms 
are defined then its commutativity follows from the commutativity of (i). By 
Theorem 15, e : {N, k* M) — >■ B* {N, k*M) is a i?*-coalgebra. 

Now xp*k*M = {Ek)*5*M C {Ek)*{EsM) C Ex{k*M) where we use the 
fact that (5 is a morphism in Set* and the fact that E* is a functor. Thus ip : 
(TV, k*M) — >■ B* (TV, k* M) is a A7*-algebra and by Theorem 22 the specialisation 
preorder of k* M is a, precongruence. □ 



7 Precongruence Formats for (Almost) Free 

In this section we consider a syntactic endofunctor E with a freely generated mo- 
nad T, the behaviour functor BX = 'P{{A x At), and a set R of GSOS rules with 
the corresponding natural transformation A : A7(id xi?) — >■ BT. The purpose is 
to describe syntactic conditions on R that would ensure that A lifts to a natu- 
ral transformation A : A7*(idxi?^) — >■ B^T*, where W S {Tr, CTr, FI}. As a 
consequence of Theorem 23, such syntactic conditions ensure that the respective 
operational preorders are precongruences. 

Theorems 24—26. For W € {Tr, CTr, FI}, if R is in VF-format (see Form. 
2-4), then A : E*{Id x B^) — >■ B^T* is a natural transformation in Set*. □ 



8 Conclusions 

We have presented an abstract coalgebraic approach to the description of va- 
rious operational preorders, via a fibration of test suites. In Theorems 16-18 we 
illustrated this approach on the trace preorder, the completed trace preorder 
and the failures preorder. Combined with bialgebraic methods, this framework 
allows the derivation of syntactic subformats of GSOS which guarantee that the 
above operational preorders are precongruences. Theorem 23 is a guideline in the 
search for such formats, and Theorems 24-26 are applications of the framework. 

The generality and abstractness of Theorem 23 prompted us to coin the ex- 
pression ‘precongruence format for free’. However, it must be stressed that to 
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derive a format for a given operational preorder remains a non-trivial task. In- 
deed, the proofs of Theorems 24-26 are quite long and technical. The expression 
‘for free’ reflects the fact that Theorem 23 lets us prove precongruence properties 
without considering the global behaviour (e.g. traces) of processes. Instead, one 
considers only simple test constructions, corresponding intuitively to single mo- 
dalities. 

Related abstract approaches to operational preorders and equivalences in- 
clude those based on modal characterisations [10] and quantales [1]. In the latter 
framework, no syntactic issues have been addressed. In the former, some general 
precongruence formats have been obtained by attempting to decompose modal 
formulae according to given operational rules [7]. This technique bears some re- 
semblance to our approach, and the precise connections have to be investigated. 

There are several possible directions of future work. Firstly, the approach 
presented here can be extended to deal with other operational preorders and 
equivalences described in literature. Secondly, one can move from the GSOS 
format (and its subformats) to the more general (safe) ntree format [9], which 
can also be formalised in the bialgebraic framework [26]. Thirdly, the abstract 
framework of test suites seems to be general enough to cover other notions of 
process behaviour (e.g. involving store), or even other underlying categories (e.g. 
complete partial orders instead of sets). It may prove interesting to formalise 
various operational preorders in such cases and to And precongruence formats 
for them. 
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Abstract. We propose a procedure for generating a Priority Rewrite System (PRS) 
for an arbitrary process language in the OSOS format. Rewriting of process terms 
is sound for bisimulation and head normalising within the produced PRSs. For a 
subclass of process languages representing hnite behaviours the generated PRSs 
are strongly normalising (terminating), confluent and complete for bisimulation 
for closed terms modulo associativity and commutativity of the choice operator. 
We illustrate the usefulness of our procedure with several examples. 



1 Introduction 

Structural Operational Semantics (SOS) [20,3] is a method for assigning operational 
meaning to operators of process languages. The main components of SOS are transition 
rules, or simply SOS rules, which describe how the behaviour of a composite process 
depends on the behaviour of its component processes. A general syntactic form of tran- 
sition rules is called & format. A process operator is in a format if all its SOS rules are 
in the format, and a process language, often abbreviated by PL, is in a format if all its 
operators are in the format. Many general formats have been proposed and a wealth of 
important results and specification and verification methods for PLs in these formats 
have been developed: see [3] for an overview. 

In order to realise the potential of general PLs supporting software tools need to be 
developed. Such tools would accept general PLs as input languages and perform tasks 
such as simulation, model checking and equivalence checking, refinement and testing. 
Several such tools already exist. For example, we can use Process Algebra Compiler 
[22] to change the input PL to the Concurrency Workbench of New Century [12]. 

Alternatively, we can utilise the existing term rewrite and theorem prover software 
tools to analyse properties of processes of general PLs. To this end several procedures 
for automatic derivation of axioms systems and term rewrite systems for PLs in several 
formats were proposed [2,1,11 ,24,8] . The present paper continues the research of Aceto, 
Bloom and Vaandrager [2] and Bosscher [11], and extends and generalises it further. A 
new procedure for deriving Priority Rewrite Systems for bisimulation is presented. Our 
work delivers the following improvements: (a) priority rewrite rules are often simpler 
than those in [2,1,11], (b) the number of rewrite rules for typical operators is smaller 
(Remark 1 and 2), and (c) the priority order increases the effectiveness of term rewriting 
by reducing the nondeterminism inherent in rewriting [25]. We work with Ordered SOS 
PLs [26] (OSOS) instead of the GSOS PLs [10]. The proposed procedure generates 
term rewrite systems with a priority order on rewrite rules instead of axiom systems or 
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ordinary term rewrite systems as in [2,1 1]. We illustrate this with an example. Consider 
the priority operator ‘0’ [6]. For a given irreflexive partial order ^ on actions process 
9{p) is a restriction of p such that, in any state of p, action a can happen only if no action 
b with b ^ a is possible in that state. If Ba = {b \ b ^ a}, then 9 is defined by the 
following GSOS rules, one for each action a, where expressions of the form -«■ in 
the premises are called negative premises. 

XJ^X' X^X' 

0(X) 4 0(X') XAY 4 9(X') 

The second procedure in [2], also described in [1], produces the following axioms (laws) 
for 9, where the basic operators of CCS, namely “+’, prefixing and ‘O’, are used. Since 
rules for 9 have several copies of X in the premises an auxiliary binary operator A, 
defined above, is used by the second procedure in [2]. The axioms for 9 consist of the 
axiom that makes copies of X, and the axioms for A consisting of the distributivity 
axiom, peeling axioms, and action and inaction axioms: 

9{X) = XAX a.XA{b.Y + Z) = a.XAZ if^{b>a) 

{X + Y)AZ = XAZ + YAZ a.XA{b.Y + Z)=0 ifb>a 

OAX = 0 a.X AO = a.9{X) 

The priority operator can be defined equivalently, and perhaps more intuitively, by 
positive GSOS rules equipped with an ordering that represents the priority order on 
actions: the ordering has the same effect as negative premises in rules. This is the idea 
behind the Ordered SOS format [26]. The OSOS rules for 9 are, one for each action a, 

X 4 w' 

9{X) 4 9{X') 

and the ordering > is such that whenever b ^ a. The ordering prescribes that 

rule Ta can be applied to derive transitions of 9{p) if no higher priority rule, e.g. rt,, can 
be applied to 9{p). This suggests an axiomatisation algorithm: derive axioms from the 
OSOS rules and then “order” them appropriately according to the ordering on the SOS 
rules. We orient the axioms from left to right to obtain rewrite rules and define a priority 
order, an irreflexive partial order (irreflexive and transitive), on these rewrite rules. Thus, 
we obtain a Priority Rewrite System (PRS) originated by Baeten, Bergstra, Klop and 
Weijland [7]. The derived PRS for 9 is listed below and contains one rewrite rule 9pr for 
each pair of a and b such that b^ a, and one 9act rule for each a. 



Opj- . 


9{a.X + b.Y+Z) - 


^9{b.Y + Z) 




^dn ' 


: 9{X + 0) - 


-9{X) 




^ds ■ 


9{X + Y) - 


> 9{X) + 9{Y) 


9act ■■ 0{a.X) ^ a.9{X) 



9nii : 9{X) ^ 0 



The priority order on the above rewrite rules is defined by 9pr >- 9dn Y 9ds and 
{0ds, 9act} Y 9nii- Notc, that W6 have fewer rewrite rules (schemes) than the axioms 
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(schemes) above, and no need for the auxiliary A. Our PRSs are sound for bisimulation, 
and head normalising. For OSOS PLs generating finite behaviours (linear and syntac- 
tically well-founded OSOS PLs) the generated PRSs are also strongly normalising and 
confluent. Finally, for the mentioned subclass of OSOS PLs, the generated PRSs are 
complete for bisimulation. 



2 Preliminaries 

This section recalls the notions of hi simulation and the GSOS and OSOS formats. OSOS 
and GSOS have the same expressive power [26] : OSOS is a reformulation of GSOS where 
rules of the form (2) together with orderings on rules have the same capability to define 
operational semantics as rules of the form (1). 



2.1 Bisimulation 

A labelled transition system (LTS) is a structure {V, A, — >^), where V is the set of pro- 
cesses, A is the set of actions and — >-C P x A x P is a transition relation. V is ranged 
over by p,q,p' ,q ' The set Act is a finite set of actions and it is ranged over by a, b, c 
and their subscripted versions. The action t is the silent action but we do not treat it 
differently from other actions. We permit Act to have a structure: for example Act may 
consist of action labels and co-labels as in CCS [18]. We write p A g for {p, a, q) G— >■ 
and read it as process p performs a and in doing so becomes process q. Expressions of 
the form p q will be called transitions. We write p A when there is q such that p q, 
and p ^ otherwise. We recall the definition of bisimulation [18]: 

Definition 1. Given (P, Act, — >^), a relation R C V x V is a bisimulation if, for all 
(p,q) G R and all a £ Act, p ^ p' implies ^q' .{q A q' anAp'Rq') and q A 
q' implies 3p'.(p A p' anAp' Rq') hold. We write p ^ qii there 3 a bisimulation R 
such that pRq. 



2.2 GSOS and OSOS Formats 

The OSOS format [26] is an alternative to the GSOS format [10]. The reader can find in 
[26] the motivation for the OSOS format and many examples of its application. Before 
we recall the definitions of the formats we introduce several notions and notations. 

Var is a countable set of variables ranged over by X, Xi,Y,Yi, .. .. 27„ is a set of 
operators with arity n. A signature 27 is a collection of all 27„ and it is ranged over by 
The members of 27o are called constants', 0 G 27o is the deadlocked process 
operator. The set of open terms over 27 with variables inV C Va r, denoted by T( 27 , E) , is 
rangedoverby f, t', s, s'. Var(t) C Varisthesetofvariablesinatermf.Thesetofc/oseJ 
terms, written as T(27), is ranged over by p,q, . . .. In the setting of process languages 
these terms will often be called process terms. A 27 context with n holes C[Xi , ... , AT„] 
is amember of T(27, {Xi, . . . , 2f„}), where allXi are distinct. If A, . . . , are 27 terms, 
then C[ti , . . . , is the term obtained by substituting L for Xi for 1 < i < n. 
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We will use bold italic font to abbreviate the notation for sequences. For example, a 
sequence of process terms pi, . . . for any n G N, will often be written as p when 
the length is understood from the context, for example f{p). 

A closed substitution is a mapping Var — >■ T(Z'). Closed substitntions are ranged 
over by cr; they extend to T(A’, Var) — > T(F7) mappings in a standard way. 

Definition 2. [10] A GSOS rule is an expression of the form 

{ Xi ^ Yij j. { Xk }keK,ieLk 

/(Z) 4 C[Z, Y] 

where X is the sequence Xi, . . . , Z„ and Y is the sequence of all Yij, and all process 
variables in X and Y are distinct. Variables in X are the arguments of /. Moreover, / and 
K are subsets of {1, . . . , n} and all Ji and Lk, for i G I and k G K, are finite subsets 
of N, and C[X, F] is a context. 

Let r be the rule of the form (1). Operator / is the operator of r and rules{f) is the 
set of rules with the operator /. Expressions t t' and t 4, where t, t' G T(Z', V), 
are called transitions and negative transitions respectively. Transitions are ranged over 
by T and T' . If transition T is Z 4 Z', we will sometime write -iT to denote Z 4. 
A (negative) transition which involves only closed terms is called a closed (negative) 
transition. The set of transitions and negative transitions above the horizontal bar in 
r is called the premises of r, written pre{r). The transition below the bar in r is the 
conclusion. Action a in the conclnsion of r is the action of r, and /(Z) and C[X, F] are 
the source and target of r, respectively. The i-th argument Xi is active in r if Z^ -4 Yij 

or Zi 4 is a premise of r for some and bki- The set of all i such that Xi is active in 
r is denoted by active{r). Moreover, the i-th argument of / is active if i G active{r') 
for some rule r' for /. 

Definition 3. A positive GSOS rule (transition rule, or OSOS rule, or simply a rule) is 
a GSOS rule with K = %. With the notation as in Definition 2, it has the form 

{ '^ij 

/(Z) 4 C[X, Y] 

Next, we recall the notion of ordering on rules [26]. An ordering on OSOS rnles for 
operator /, >y , is a binary relation over the rnles for /. For the pnrpose of this paper we 
assume without loss of generality that orderings are irreflexive (i.e. r > r never holds) 
and transitive. In general, there are situations where non-transitive or not irreflexive 
relations are usefnl orderings on rules [26]. Expression r >f r' is interpreted as r 
having higher priority than r' when deriving transitions of terms with / as the outermost 
operator. Given Z, >s, or simply > if Z is known from the context, is U/gi: ^ /• 

Definition 4. A GSOS PL is a tuple (Z, A, R), where Z is a finite set of operators, 
A C Act, i? is a finite set of GSOS rules for operators in Z such that all actions mentioned 
in the rules belong to A. An operator of a GSOS PL is called a GSOS operator. 
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An Ordered SOS (OSOS) PL is a tuple (17, A, i?, >), where i7 is a finite set of 
operators, A C Act, i? is a finite set of rules for operators in S, written as rules (S), 
such that all actions mentioned in the rules belong to A, and > is an ordering on rules (S). 
An operator of an OSOS PL is called an OSOS operator. 

Given an OSOS process language G = {S, A, R, >), we associate a unique transition 
relation — s- with G. The details are given in [26]. Having the transition relation for G, 
we easily construct (T(27), A, — >^), the LTS for G. Bisimulation is defined over this LTS 
as in Definition 1. Since GSOS and OSOS are equally expressive, namely every GSOS 
process language can be equivalently given as an OSOS process language and vice versa 
[26], bisimulation is a congruence for all OSOS PLs. 

An OSOS PL iL is a disjoint extension of an OSOS PL G, written as G < H, if the 
signature, the rules and the orderings of H include those of G, and H introduces no new 
rules and orderings for the operators in G. 

2.3 GSOS = OSOS 

The expressiveness results in [26] show that in general OSOS rules with orderings have 
the same effect as GSOS rules with negative premises. 

Example 1. Consider the OSOS and GSOS definitions of the sequential composition 



X^X' 
X\Y X':Y 



> 



Y ^Y' 

X; r 4 r' 



{X ^}oSAct Y ^ Y' 
X\Y ^Y' 



operator Rules and r*c, for all actions a and c, together with > defined by 
Ca* > r,c, for all a and c, comprise the OSOS formulation. Rules Ca* and r„c, for all a 
and c, form the GSOS definition. 



Most of the typical process operators that are (or may be) defined by GSOS rules with 
negative premises have natural and efficient OSOS formulations. We mention just a few: 
priority choice (Sect. 4), hide operator of ET-LOTOS [16] (Example 9) and several delay 
operators [19,13,5]. There are operators whose OSOS definitions are more efficient than 
GSOS definitions: timed extensions of traditional operators such as parallel composition 
of TPL (Example 2), and others [25]. However, we cannot think of a popular operator 
whose GSOS formulation is more efficient than its OSOS formulation. Eurther discussion 
can be found in [25]. 

Example 2. Consider Hennessy and Regan’s Temporal Process Language (TPL) [13]. It 
has a delay operator ‘ [ J ( )’ defined by the following GSOS rules, where a is any action 
except T and cr, and the action cr denotes the passage of one time unit. 

X 4 X' X 4 X' X 4 

[xj(y)4x' Lxj(F) 4x' [xj(y)4r 

The OSOS formulation of [ J ( ) uses the first two rules above and the rule (T 0 : [XJ (X) 4 
Y . The ordering is The parallel composition ‘||’ of TPL is a timed extension 
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of the CCS parallel with the following non-GSOS rule r. 

X ^ X' Y ^Y' X\\Y Z, X ^ X' Y ^Y' 

X\\Y ^X' \\ Y' '' X\\Y ^X' \\ Y' 

The rule requires that p \\ q can pass time if both p and q can pass time, are stable 
and cannot communicate. The OSOS formulation has the standard CCS rules (were 
communication rules are denoted by r<ja) and the above timed rule r„, which is placed 
below all the rules with the action r, namely the two r-rules and all communication 
rules Taa- The GSOS formulation of || [25] contains the rules 

X ^ X' Y ^Y' XZ, yZ, {^Ta I a G Act \ {r, cr} A T G pre(raa)} 

a: II y 4 a:' II y' 

where the premise -■T for a fixed a is either X or Y 4. The OSOS formulation uses 
one timed rule and the ordering which places below all the rules for || with the 
action t, whereas the GSOS formulation uses 2^ timed rules, where k = \ Act \ {r, ct} | . 

2.4 Classes of GSOS and OSOS Operators 

The axiomatisation algorithms in [2] produce several types of axioms (laws) for GSOS 
operators depending on the form of operators’ definitions. Three types of definitions, 
and hence three classes of operators, are defined: smooth, distinctive and discarding. 
Our PRS algorithm relies on partitioning OSOS operators into free of implicit copies 
operators and simply distinctive operators. 

A GSOS rule is smooth [2] if it has the form 

{ 4 4 li }ig/ { Xk Zl }k^K,i^Lk 
/(4,...,a„)4c[4T] 

where / and K are distinct sets and / U AT = {1, . . . , n}, and no Xi appears in C[X, F] 
when i G /. A GSOS operator is smooth if all its defining rules are smooth. 

Multiple occurrences of process variables in rules are called copies. They are either 
explicit or implicit copies [23,26]. Given a rule r as in Definition 3, explicit copies 
are the multiple occurrences of variables Yij and 4> for i ^ I, in the target C[X,Y]. 
The implicit copies are the multiple occurrences of 4 in the premises of r and the 
occurrences, not necessarily multiple, of variables 4 in C[X, F] when i G I. Consider 

4 4 4i 4 4 42 4 4 4i 
h(Ai, 4, 4, 4) 4 5(4, 4, 4, 4, 4i, 4i) ' 

There are implicit copies of Xi in the premises and implicit copies of X 2 in the target 
(just one occurrence). The copies of 4 nnd Yu are explicit. There are no copies of 4- 
A rule with no implicit copies is free of implicit copies, and an OSOS operator is free 
of implicit copies if its rules are free of implicit copies. We notice that smooth GSOS 
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rules can be defined using the notion of implicit copies: A GSOS rule of the form (1) is 
smooth if it has no implicit copies, / and K are distinct sets and I U K = 

Hence, if a GSOS operator is smooth, then its OSOS formulation is free of implicit 
copies [25]. The converse is not valid as there are non-smooth GSOS operators whose 
OSOS formulations are free of implicit copies. The examples are the priority operator 
9 and the timed versions of the parallel operator of TPL in Example 2 and the hiding 
operator of ET-LOTOS [16] given in [27] and recalled in Example 9. 

A GSOS operator / is distinctive [2] if it is smooth and satisfies the distinctiveness 
property: for each argument i, the argument either appears in positive premises of all 
rules for / or in none of them, and also, for each pair of different rules for /, there is an 
argument for which both rules have the same positive premise but with a different action. 
We use a similar notion. An OSOS operator / is simply distinctive if it is free of implicit 
copies and satisfies distinctiveness. It is not the case that if an OSOS formulation of a 
GSOS operator is simply distinctive, then the GSOS operator is distinctive: consider 9. 
The converse is not valid [25]. However, we cannot think of a popular distinctive GSOS 
operator which has no simply distinctive OSOS formulation. 



3 Term Rewrite Systems 



We recall the basic notions of term rewriting [15,4]. A Term Rewriting System (TRS) 
7?. is a pair (27, R) where 27 is a signature and R is a set of reduction rules or rewrite 
rules. We associate a countable set of variable V C Var with each TRS. A reduction 
rule is a pair of terms {t, s) over T(27, V) and it is written as t ^ s. Two conditions 
are imposed on the terms of reduction pairs: t is not a variable, and Var{s) C Var{t). 
Often a reduction rule has a name, for example r, and thus we write r : t ^ s. 

A reduction rule r : t ^ s can be seen as a prescription for deriving rewrites at as 
for all substitutions a, where a rewrite is a closed instance of a reduction rule. The left- 
hand side at is called a redex, more precisely r-redex. The right-hand side as is called 
a contractum. A at redex may be replaced by its contractum as in an arbitrary context 
C\ ] giving rise to a reduction step (one-step rewriting): C[at] C\as\. We call 
the one-step reduction relation generated by r. The one-step reduction relation of a 
TRS TZ, denoted by or simply by is defined as the union of for all r G R. 
Let i? be a set of rewrites. The closure of R under closed contexts is denoted by 
The transitive and reflexive closure of (^r) is called reduction (R-reduction) and 
is written as ^ (^r)- A reduction of term /(fi, . . . , f„) is internal if it occurs solely 
in the subterms ti, . . . ,tn leaving the head operator / unaffected. A term t is strongly 
normalising (terminating) if it has no infinite reductions; and t is called confluent if any 
two reducts of t are convergent (or joinable), namely have a common reduct. A TRS is 
strongly normalising and confluent if all its terms have these properties. 

The notions that are crucial in proving confluence are overlap and critical pair [15, 
4]. Eor confluence we use the result due Knuth and Bendix [15] that states that if a TRS 
is strongly normalising, then it is confluent iff all its critical pairs are convergent. 
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3.1 Rewriting modulo AC 

The application of term rewriting in concurrency is somewhat complicated by the need 
to preserve the commutativity and associativity of the nondeterministic choice operator 
+: namely X + Y = V + X and X + (Y + Z) = (X + Y) + Z, respectively. 
These properties are denoted by Ci and 62- The equations cannot be oriented without 
losing the normalising property. For example, if we turn ci into X + Y Y + X, 
then f + + + Therefore, we shall use term rewriting modulo the 

commutativity and the associativity of +. We denote the axioms ci and 62 by AC and the 
equivalence class of terms t under AC by [t]AC - For terms t, t' and s such that t € ac 
if t' s, then we shall write t -^ac s and [t]AC ^AC [s]ac • We define t ^ac s and 
[t]AC ^AC \s]ac the appropriate transitive reflexive closures of -^ac- The internal 
reductions of t -^ac s and [t]AC -^AC [s]ac are defined in fhe corresponding way to 
the internal reductions of Henceforth, we drop all subscripts AC. 

Examples. Consider X = {(0, 0), (+, 2)} U {(a.,1) | a G Act}, where 0 is the 
deadlocked process operator, ‘a.’ are the prefixing with actions a operators, for all 
a G Act, and + is the CCS choice operator. The transition rules for X are given 
in Definition 7. Let (L'jR) be a TRS with the following set R of reduction rules: 
ri : X + 0 ^ X and V 2 ■ X + X ^ X. Term a.X + {a.X + 0) reduces to 

a.X as follows: a.X + {a.X + 0) d-A + a.X -^^2 o.W. There is another reduction 
modulo AC to a.X: a.X + {a.X + 0) = {a.X + a.X) + 0 o,-^ + 0 a.X. 

Hence, [a.X + {a.X + 0)] ^ [a.X]. 

(17, R) is strongly normalising. Interpret 0, a.X and Jf + F as polynomials 2, 2X 
and 7f + F to obtain polynomial termination modulo AC. The TRS is confluent modulo 
AC. Reduction rules and have a simple overlap which replaces X with 0. We have 
0 + 0 0 and 0 + 0 0- Hence, the only critical pair is ([0], [0]), and it is joinable. 

3.2 Priority Rewriting 

As transition rules for process operators can be equipped with orderings that indicate 
which transition rules to apply first, reduction rules can also have an ordering associated 
with them. This ordering, called priority order, specifies the order in which rewrite rules 
are to be used to rewrite a term. This is illustrated by the following simple example. 

Example 4. The TRS from Example 3 is now equipped with a priority order + defined by 
r\ + r2. Asbefore, a.AT + (a.Ar+0) ^ [o.AT] becausea.X+(a.W+0) a.X+a.X, 
and since a.X cannot be reduced to 0, a.X + a.X then reduces to a.X by rule V 2 . 
However, the second reduction from Example 3 is not correct (intended) in this new 
setting. After a.X + {a.X + 0) = {a.X + a.X) + 0, both r\ and V 2 can be used; but 
since ri has priority over V 2 we must apply ri : {a.X + a.X) + 0 -^n a.X + a.X. Now, 
only T 2 can be used. 

Next, consider term t = (a.AT+0) + (a.Ar+0). The term is an r2-redex, it is not an ri- 
redex although it contains ri-redexes. We may wish to reduce the term with T2 ahead of 
ri . This is not intended in the new setting: we must either use higher priority ri to reduce 
subterms a.7f+0toa.7f first, oruse ACtoconvertf tori-redex ((a.F+0)+a.AT)+0 and 
reduce itas [((a. X+0)+a.AT)+0] -^n [(a.AT+a.Ar)+0] [a.X+a.X] ->^2 [a.X]. 
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In general, a rewrite rule T 2 with a lower priority than r i can be applied to term t in favour 
of ri, if no internal reduction (reduction sequence leaving head operator unaffected) 
modulo AC of t can produce a contractum that is an ri-redex. We recall the basic notions 
of term rewriting with priority [7,21,28]. 

Definition 5. A Priority Rewrite System, or PRS for short, is a tuple (27, T, where 
(27, T) is a TRS and is a partial order on T called priority order. Let V = (27, T, y) 
be a PRS, and let i? be a set of rewrites for V, namely closed substitutions of reduction 
rules of V. The rewrite r : t ^ s is correct with respect to R (modulo AC) if there is 
no internal reduction [f] [t'] such that r' : t' ^ s' G R with r' > r. R is sound if all 

its rewrites are correct w.r.t. R. R is complete if it contains all rewrites of V which are 
correct w.r.t. R. V is well-defined if it has a unique sound and complete rewrite set; this 
set is called the semantics of V. 

If the underlying TRS of a PRS is strongly normalising modulo AC, then the PRS is 
well-defined and strongly normalising modulo AC. Hence, the PRS from Example 4 is 
well-defined and strongly normalising modulo AC\ it is also confluent. 

Definition 6. Let G = (27, A, S, >) be an OSOS process language. Let V = (27, T, >■) 
be a well-defined PRS with its unique sound and complete rewrite set R. A rewrite f s 
of R, where t and s are closed 27 terms, is sound for bisimulation if f ~ s. A rewrite 
rule T 9 ro : f ^ r is sound for bisimulation if every ro -rewrite, which is correct with 
respect to the semantics of V, is sound for bisimulation. V is sound for bisimulation if 
all its rewrite rules are. The set R is complete for bisimulation if whenever f ~ s, then 
t i?-reduces modulo AC to normal form t', s i?-reduces modulo AC to normal form s' 
and [t'] = [s']. V is complete for strong bisimulation, if its rewrite set R is. 

4 Basic Language 

Our language contains a new operator, called priority choice, which is denoted by “[>’. 

Definition 7. The basic language, B, is an OSOS process language (27 b, A, R, >), where 
27 b — -^0 O 27j U 272 with 27 q = {(0, 0)}, 27^ = {(o.,l) jaG A} and 272 = { (T> 2) , (i> 
,2)}, A Cfin Act, and R and > are the set of rules and the ordering as follows, where 
every rule for [> with X in the premises is above every rule for [> with Y in the premises: 

„ X A X' y A y' x A x' y A y' 

a.X A X > 

x-tyAx' x-tyAy' x>yAx' x>yAy' 

The prefixing a. binds stronger than [>, which in turn binds stronger than -f. 

B generates the LTS B = (T(27b), A, — >^). Bisimulation over B is defined ac- 
cordingly. Let B be the PRS for B defined in Table 1. Notice, that reduction rules 
+nii, +ice and [>act on their own are sound for bisimulation, but is not sound on 
its own. Let aX = 0, aY = a.O and aZ = &.0; then a{{X -\-Y) \> Z) ^ a.O and 
cr(X \> Z -\-Y \> Z) ^ a.0-f6.0. However, putting [>cisi below \>dni solves this 
problem as can only be applied when neither aX nor aY reduces to 0. 

Theorem 1. B is strongly normalising and confluent modulo AC, and sound and com- 
plete for bisimulation. 
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Table 1. Reduction rules and the priority order for B 

^ + 0 X l>dnl- {X -\-d)l>Z~^X\>Z 

+i,e : X + X^X t>dsi- {X + Y)t> Z ^ X t> Z + Y t> Z 

\>act- a-X > y ->■ a.X 

>„«: X>Y^Y 

nil ^ “h ice and and {Odsl^ I^act} ‘^^nil 



5 Rewrite Rules for Arbitrary OSOS Operators 

Arbitrary OSOS operators can be grouped into three disjoint sets: operators that are 
not free of implicit copies, operators that are free of implicit copies and are not simply 
distinctive, and simply distinctive operators. For each type of operators (and auxiliary 
operators) Lemmas 1, 2 and 3 specify the type of rewrite rules and the associated with 
them priority orders. 

If an OSOS operator (/, n) is not free of implicit copies, then we can construct a free 
of implicit copies OSOS operator (/'^, m), with m > n, that does the job of /. This is 
achieved in the same way as for GSOS operators which are not smooth due to implicit 
copies [2] (Lemmas 5.1 and 5.2) and, therefore, is left without a proof. 

Lemma 1. Let G be an OSOS PL with signature 27. Let V = (27, R, ;^) be a well- 
defined PRS that is sound for bisimulation. Suppose (/, n) G 27 is an operator not free 
of implicit copies. Then, there is a disjoint extension of G' of G with a free of implicit 
copies operator (/'^, m) such that m > n, and a PRS V is (27 U {/'^}, RU {/copy}, ^), 
where is fcopy ■ f{X) ^ f‘^{Y) is the copying rewrite rule, for some vector X of 
n distinct variables and a vector F of m variables from X, such that V is sound for 
bisimulation. 

As an example consider operator {h, 4) from Sect. 2.4. The operator has implicit copies 
of its first two arguments and the operator h‘^, the free of implicit copies version of h 
required by Lemma 1, uses two extra arguments as follows: 

h^iXlXl 2fi, 2f|, 2f3, X4) 4 g{Xl X^, X3, 2f4, ^11,^1) 

The copying rewrite rule for h is h{Xi,X2, X3, X4) h'^(2fi, 2fi, X2, AT2, X3, X4). 

Remark 1. Non-smooth operators that have no implicit copies but test some arguments 
both positively and negatively, for example 6 and the parallel in Example 2, require 
auxiliary operators that copy the relevant arguments (Lemma 5.2 in [2]). As we use 
orderings on rules, such auxiliary copying operators are not needed in our setting. 

If an operator (/, n) is free of implicit copies and is not simply distinctive, then 
rules{f) and the ordering can be partitioned into a number of sets of simply distinctive 
rules with the orderings inherited from the original ordering, thus leading to a rewrite rule 
corresponding to the distinctifying law in [2]. We need the following notation. Assume 
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an OSOS PL with signature S that contains operators + and t>. The sets of auxiliary 
terms and sum terms are defined inductively as follows: (a) /(Z) is a sum term for each 
f G S \ {+, [>}; (b) if s and t are sum terms, then f + s is a sum term; (c) if s and t are 
sum terms, then s [> f is an auxiliary term; (d) if s is a sum term and t is an auxiliary term, 
then s + f, f + s and s [> f are auxiliary terms (t [> s, for example {f \> f + f”) [> g, 
is not an auxiliary term). 

Lemma 2. Let G be an OSOS PL with signature Z such that B < G.LetV = 

be a well-defined PRS that is sound for bisimulation. Suppose (/, n) G S is free of 

implicit copies operator which is not simply distinctive. Then, there is 

- G' such that G < G' with I simply distinctive operators (/j, n), thus creating new 

Z', 

- an auxiliary term Auxiliary Term[f \{X ) , . . . , fi{X)] constructed from all operators 
(fi,n) and involving only the operators (/i, n), and 

-PRS V' = (Z',R U where : /(Z) 

Auxiliary Term[f i{X) fi{X)] is the auxiliary rewrite rule (note, faux 
is “unordered” w.r.t. rewrite rules in R), 

and the PRS V is sound for bisimulation. 

We find the auxiliary operators /^s by partitioning rules{f) into sets Ri such that (a) 
each Ri defines a simply distinctive operator and (b) for every pair of Ri , Rj , where 
i,j G (}, either Ri > Rj, or Rj > Ri or Ri 1; Rj. In other words, either Ri 

is wholly above Rj, or vice versa, or the ordering between the rules in Ri and Rj is 
empty. For each such set we change the operator of each SOS rule from / to the relevant 
fi leaving the rest unchanged. Thus, we obtain I distinctive operators (/j,n). As for 
constructing auxiliary terms required by Lemma 2, a general procedure can be found in 
[25]. 

Example 5. Consider B extended with the CCS parallel composition operator ‘ || ’ which 
is not simply distinctive but free of implicit copies. Assume that, for each a G A G Act\ 
{r}, we have a G Act and a = a. Lemma 2 requires three auxiliary simply distinctive 
operators for 1 1 . These operators are the left-merge, written as , the right-merge, written 

as ‘I’, and the communication merge, written as ‘|’, with standard definitions as in [9, 
2]. Since there is no ordering on rules the priority term does not involve [>, and the 
auxiliary rewrite rule is an instance of the distinctifying law and rewrite rule [2,11]: 

z||y - (z|z) + (z^z) + (z^z). 

Example 6. The operator ; from Example 1 is not simply distinctive; it is, however, free 
of implicit copies. The operator has two active arguments and its rules can be easily 
partitioned into two sets defining simply distinctive operators. The set of rules ra* is 
wholly above the set of rules r*c- The auxiliary operators ;i and ;2 required by Lemma 
2 are defined below, and the auxiliary rewrite rule is Z; Z ->■ (Z;iZ) [> (Z; 2 Z). 



z 4 z' z 4 z' 



Z;iZ 4 Z';Z 



Z;2Z4Z' 
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Example 7. Consider a version of the CCS parallel that gives priority to communication 
over concnrrency. The operator is defined simply by pntting each and every commnni- 
cation rule above all the concurrency rules. The GSOS definition of this operator is quite 
awkward (see a similar operator in Example 2). As in Example 5, we need the three 
auxiliary operators ||, | and |, and, because of the ordering on rules, the auxiliary rewrite 
rule uses \> as well as +: A || F ^ (A | F) \> (A || F + A | F). 



Example 8. The auxiliary rewrite rule for [ J ( ) in Example 2 is [AJ(F) ->■ [Aj(F)o + 
([AJ(F)t [> [AJ(F)'^), whereas the GSOS version of the operator has the rule 
[AJ(F) ->■ [AJ(F)q, + [Aj(F)cr. Here, the auxiliary operators [ J( )a: are defined 
by the appropriate rnles based on rules Tx from Example 2, and [ J ( Y is defined by 

LaJ(f)'"4f. 

Finally, we consider simply distinctive operators. For snch operators there are priority 
resolving, distribntivity, action and deadlock rewrite rules. First, we introduce some 
useful notations. When an OSOS rule r has no implicit copies (has the form (3)), the 
trigger of r is an n-tuple (oi, . . . , a„), where Ui = * if i ^ I. We often write a for 
(oi, . . . , a„), and a.X denotes the vector Ui.Ai, . . . , an-Xn, where if ai = *, then 
ai-Xi is simply A^. When we write a.Y + b.Z, we assnme that the snmmand vectors, 
a.Y and b.Z, have the same length and are summed elementwise. Correspondingly, for 
A + a.F. 

Lemma 3. Let G be an OSOS PL with A such that B < G. Let V = (A, R, >■) be a 
well-defined PRS that is sound for bisimulation. Let (/, n) G A be a simply distinctive 
operator defined by rules of the following form, where F^ = A' if f G /, and Yi = Xi 
otherwise. 

{ A, 4 A' 

/(Ai,...,A„)4G[T] 

1 . For each pair of rules r and r' of the form (3) with non-empty premises such that 
r > r', and for triggers a.Y and b.Z of r and r' respectively, the priority resolving 
rewrite rule is /pr : f{X + a.Y + b.Z) f{X + a.Y). 

2. For each active argument z of / the following are the distributivity rewrite rnles for 

f and i: fdn{i) ■■ /(..., A^ -f 0, .. .) ^ /(..., Ai, ...) and : /(..., A^-f 
Yi, ...) f{...,Xi,...) + f{...,Yi,...). The priority order satisfies fpr Y 

fdn{i) for each rule fpr and each active i, and fdn(i) fds(i) for each active i. 

3. For each rnle for / with the form (3) and trigger Ui .X the action rewrite rule is fact ■ 
f{ai.X) ->■ a. G[A]. If / has no active arguments, then /act is /(A) ->• a.G[A]. 

4. The deadlock rewrite rnle is fnu : /(A) 0, and the priority order satisfies 

{fds(i),fact} Y fail for all rewrite rules and fact- 

Then, there is a PRS V = (A, R', where R' is R extended with all the listed above 
priority resolving, distributivity, action and deadlock rules for /, and y' is extended 
with the listed above orderings. Moreover, V is sound for bisimnlation. 
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Remark 2. There are fewer rules for typical simply distinctive OSOS operators than 
for their GSOS formulations mainly due to a large number of inaction rules for GSOS 
operators. Overall, a typical OSOS operator has fewer rewrite rules than its GSOS 
formulation, even though it may use more auxiliary operators (Example 8). Our algorithm 
produces A: + 10 rules for the OSOS [ J ( ) compared with 2fc + 6 rules for the GSOS 
version of [ J ( ) generated by the second procedure in [2], where k =\ Act \ {r, a} |. 

If the ordering on rules{f) is empty, then there would be no priority resolving rewrite 
rules for /. Out of the operators that we have discussed so far only the priority operator 9 
is simply distinctive with a non- trivial ordering on its rules. All the rewrite rules and the 
priority order for 6 required by Lemma 3 have been given in the Introduction. Another 
example of a simply distinctive operator with a non-trivial ordering on its SOS rules is 
the hide operator of ET-LOTOS [16]: 

Example 9. Our definition of hide employs simple OSOS rules instead of rules with 
negative premises and a lookahead as in [16]. The defining rules and are 



A 4 A' A 4 A' 

Q ^ Q, G -A 

hide A in A 4 hide A in A' hide A in A 4 hide A in A' 

respectively, where cr ^ A, is a timed rule and the ordering is for all a € A. 

The rewrite rules required by Lemma 3 are given below. 



hidCpr : hide A in (a. A + a.Y + Y) - 


^ hide A in (o.A + Z) 


hidCdn : 


hide A in (A + 0) 


> hide A in (A) 


hidCds : 


hide A in (A + y) - 


+ hide A in A + hide A in A 


hide“rt : 


hide A in (o.A) - 


+ a. (hide A in A) 


hideLt : 


hide A in (a. A) - 


T.(hide A in A) 


hidCaet : 


hide A in (cr.A) 


^ cr.(hide A in A) 


hide„i/ : 


hide A in A 


>0 



We have one hidepr rule for every a € A, one hide“^( rule for every a ^ A U {cr}, and 
one hide^gj for every a € A. The priority order satisfies hide^r hide^s 

for all priority resolving rules hidCpr- Moreover, {hidCds, hide^^i, hide^t, hide44 ^ 
hide„i/. 



Theorem 2. Let G be an OSOS process language, and let G' and V be the OSOS process 
language and the PRS respectively that are produced by the algorithm in Pig. 1. Then, 
V is head normalising and sound for bisimulation. 

6 Termination, Confluence, and Completeness for Bisimulation 

Any practically useful process language must contain a mechanism for representing 
infinite behaviour. Most often this is done by means of process constants (or variables) 
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Input: OSOS process language G = {E, A, R, >) and PRS V = {E, 0, 0). 

1. If G is not a disjoint extension of B, then add to G disjointly B. Call the resulting language 
G'" . V becomes {Ea'" , R”^ where R'" and are as in Table 1. 

2. For each operator / G G'" which is not free of implicit copies apply the construction of 
Lemma 1 to obtain a free of implicit copies operator /“. G'" extended disjointly with all 

for all not free of implicit copies operators / of G"', is denoted by G” . V becomes 
{Equ , R"' U RcopH, where Kcopy is the set of copy rewrite rules produced by Lemma 
1 . 

3. For each free of implicit copies operator / G Equ \ Eb which is not simply distinctive apply 
the construction of Lemma 2 to produce simply distinctive auxiliary operators /i A 
language G' is the result of extending disjointly G” with all auxiliary operators for all free 
of implicit copies and not simply distinctive operators of G” . V becomes {Eqi, R”, 
where R" is R'" U Rcopy extended with all the auxiliary rewrite rules required by Lemma 2. 

4. For each simply distinctive / in Eq' \ Eb extend R" and with all the priority resolving 
rewrite rules as in Lemma 3 to obtain the PRS V” = {Eqi , R', 

5. For each simply distinctive / in Eqi \ Eb extend R' and with all the remaining rewrite 
rules and the priority orders from Lemma 3. The resulting PRS i^V = {Eqi , R, ^). 

Output: G' such that G < G' , and a sound for bisimulation and head normalising PRS V. 

Fig. 1. The PRS construction algorithm for OSOS process languages 



that are defined by mutual recursion. A simple semaphore can be modelled by Sem 
and Sem' which are defined by Sem ^ Sem' and Sem' Sem, respectively. 
Sem and Sem! are simply distinctive OSOS operators. The PRS for Sem and Sem' 
is Sem up. Sem' >- Sem 0 and Sem' down. Sem >- Sem' 0. 

Not surprisingly, processes such as Sem have non-terminating reductions: Sem 
up. Sem' up.down.Sem up. down. up. Sem' ->■•••. The properties of PRSs with 

operators such as Sem are the subject of infinitary rewriting [14], and will be investigated 
in future. However, there is a subclass of OSOS PLs containing processes with finite 
behaviour [2]: Let G be an OSOS PL. A termp G T(A'g) is well-founded if there exists 
no infinite sequence pQ,aQ,pi,a\, . . . with p = po and pi Pi+i for alH > 1. G 
is well-founded if all its terms are well-founded. Well-foundedness of OSOS PLs is 
not decidable, but syntactical well-foundedness is. If a PL is linear and syntactically 
well-founded, then it is well-founded. 

Theorem 3. Let G be a syntactically well-founded and linear OSOS process language, 
and let G' and V be the OSOS process language and the PRS respectively that are 
produced by the algorithm in Fig. 1. Then, V is strongly normalising modulo AG, 
confluent and complete for bisimulation on closed terms over G'. 

1 Conclusion and Future Work 

We have described how to produce, for an arbitrary OSOS PL, a PRS that is head 
normalising and sound for bisimulation. When a PL in question is syntactically well- 
founded and linear, then its PRS is strongly normalising and confluent, and two processes 
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are bisimilar iff they can be reduced to the same normal form modulo AC. We are 
planning to adapt our algorithm to other process equivalences. 

There are well developed techniques for equational reasoning about processes that are 
not well-founded processes, for example, regular processes [17] and reasoning about 
such processes w.r.t. bisimulation. We can prove equalities between such processes 
by using (a) the standard axioms to “unwind” recursive processes to hnf and (b) the 
Recursive Specification Principle (RSP) [9]. It would be interesting to research a class 
of OSOS PLs corresponding to Aceto’s class of regular infinitary GSOS PLs [1], and 
investigate rewriting/equational reasoning in PLs within the class using our PRSs and 
the RSP. 
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Abstract. Linear-time properties and symbolic algorithms provide a 
widely used framework for system specification and verification. In this 
framework, the verification and control questions are phrased as boo- 
lean questions: a system either satisfies (or can be made to satisfy) a 
property, or it does not. These questions can be answered by symbolic 
algorithms expressed in the /r-calculus. We illustrate how the /r-calculus 
also provides the basis for two quantitative extensions of this approach: 
a probabilistic extension, where the verification and control problems are 
answered in terms of the probability with which the specification holds, 
and a discounted extension, in which events in the near future are weigh- 
ted more heavily than events in the far away future. 



1 Introduction 

Linear-time properties and symbolic algorithms provide a widely adopted fra- 
mework for the specification and verification of systems. In this framework, a 
property is a set of linear sequences of system states. Common choices for the 
specification of system properties are temporal logic [MP91] and u> -regular auto- 
mata [BL69,Tho90]. The verification question asks whether a system satisfies a 
property, that is, whether all the sequences of states that can be produced during 
the activity of the system belong to the property. Similarly, the control question 
asks whether it is possible to choose (a subset of) the inputs to the system to 
ensure that the system satisfies a property. These questions can be answered by 
algorithms that operate on sets of states, and that correspond to the iterative 
evaluation of /i-calculus fixpoint formulas [Koz83b,EL86,BC96]. This approach 
is often called the symbolic approach to verification and control, since the al- 
gorithms are often able to take advantage of compact representations for sets 
of states, thus providing an efficient way to answer the verification and control 
questions on systems with large (and, under some conditions [HM00,dAHM01b], 
infinite) state spaces. The approach is completed by property-preserving equi- 
valence relations, such as bisimulation [Mil90] (for verification) and alternating 
bisimulation [AHKV98] (for control). 

We refer to this approach as the boolean setting for verification and control. 
Indeed, the verification question is answered in a boolean fashion (either a system 
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satisfies a property, or it does not). Correspondingly, the symbolic verification 
algorithms are boolean in nature: the subsets of states on which they operate can 
be (and very often are [Bry86]) represented by their characteristic functions, that 
are mappings from states to {0, 1}. Bisimulation itself can be seen as a binary 
distance function, associating distance 0 to two states if they are bisimilar, and 
distance 1 if they are not. In this paper, we illustrate how all the elements of 
this approach, namely, linear properties, symbolic algorithms, and equivalence 
relations, can be extended to a quantitative settings, where the control and veri- 
fication questions are given quantitative answers, where the algorithms operate 
on mappings from states to real numbers, and where the equivalence relations 
correspond to real- valued distances [HK97,DGJP99,vBW01b,DEP02]. We consi- 
der two such quantitative settings: a probabilistic setting, where the verification 
and control questions are answered in terms of the probability that the system 
exhibits the desired property, and a discounted setting, where events in the near 
future are weighted more than those in the distant future. Our extensions rely 
on quantitative versions of the ^-calculus for solving the verification and con- 
trol problems and, in the discounted setting, even for expressing the linear-time 
(discounted) specifications. 



1.1 Games 

We develop the theory for the case of two-player stochastic games [Sha53,Eve57, 
FV97], also called concurrent probabilistic games [dAHOO], and for control goals. 
A stochastic game is played over a state space. At each state, player 1 selects 
a move, and simultaneously and independently, player 2 selects a move; the 
game then proceeds to a successor state according to a transition probability 
determined by the current state and by the selected moves. An outcome of a 
game, called trace, consists in the infinite sequence of states that are visited in 
the course of the game. We say that a linear property holds for a trace if the trace 
belongs to the property. A simple example of game is the game matchbit. The 
game matchbit can be in one of two states, Stry or Sgoai- In state Stry, player 1 
chooses a bit bi G {0, 1}, and player 2 chooses a bit 62 G {0, 1}. If bi = 62, the 
game proceeds to state Sgoai', otherwise, the game stays in state Stry The state 
Sgoai is absorbing: once entered it, the game never leaves it. 

Games are a standard model for control problems: the moves of player 1 
model the inputs from the controller, while the moves of player 2 model the re- 
maining inputs along with the internal nondeterminism of the system. Stochastic 
games generalize transition systems, Markov chains, Markov decision processes 
[Ber95], and turn-based games. ^ The verification setting can be recovered as a 
special case of the control setting, corresponding to games where only one player 
has a choice of moves. 

^ For many of these special classes of systems, there are algorithms for solving ve- 
rification and control problems that have better worst-case complexity than those 
that can be obtained by specializing the algorithms for stochastic games. A review 
of the most efficient known algorithms for these structures is beyond the scope of 
this paper. 
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1.2 Probabilistic Verification and Control 

In systems with probabilistic transitions, such as Markov chains, it is possi- 
ble that a linear property does not hold for all traces, but nevertheless holds 
with positive probability. Likewise, even in games with deterministic transiti- 
ons, player 1 may not be able to ensure that a property holds on all traces, but 
may nevertheless be able to ensure that it holds with some positive probability 
[dAHK98]. For example, consider again the game matchbit, together with the 
property of reaching Sgoai (consisting of all traces that contain Sgoai)- Starting 
from Stry, player 1 is not able to ensure that all traces reach Sgoai- whatever 
sequence of bits player 1 chooses, there is always the possibility that player 2 
chooses the complementary sequence, confining the game to Stry Nevertheless, 
if player 1 chooses each bit 0 and 1 with equal probability, in each round he will 
proceed to Sgoai with probability 1 / 2 , so that Sgoai is reached with probability 1 . 
Another example is provided by the game matchone, a variant of matchbit 
where the bits can be chosen once only. The game matchone can be in one of 
three states Stry, Sgoai, and Sfau- At Stry, players 1 and 2 choose bits bi and 62 ; 
if 61 = 62 , the game proceeds to Sgoai, otherwise it proceeds to Sfau- Both Sgoai 
and Sfaii are absorbing states. In the game matchone, the maximal probability 
with which player 1 can ensure reaching Sgoai is 1 / 2 . 

Hence, it is often of interest to consider a probabilistic version of verification 
and control problems, that ask the maximal probability with which a property 
can be guaranteed to hold. We are thus led to the problem of computing the 
maximal probability with which player 1 can ensure that an w-regular property 
holds in a stochastic game. This problem can be solved with quantitative /x- 
calculus formulas that are directly derived from their boolean counterparts used 
to solve boolean control problems. 

Specifically, [EJ91] showed that for turn-based games with deterministic tran- 
sitions, the set of states from which player 1 can ensure that an w-regular specifi- 
cation holds can be computed in a ^-calculus based on the set-theoretic operators 
U, n and on the controllable predecessor operator Cpre. For a set T of states, the 
set Cpre{T) consists of the states from which player 1 can ensure a transition to 
T in one step. As an example, consider the reachability property OT, consisting 
of all the traces that contain a state in T. The set of states from which player 1 
can ensure that all traces are in OT can be computed by letting Rq = T, and 
for fc = 0, 1, 2, . . . , by letting Rk+i = T U Cpre{Rk). The set Rk consists of the 
states from which player 1 can force the game to T in at most k steps; in a 
finite game, the solution is thus given by limfc_>oo R^- Computing the sequence 
Rq, Ri, R 2 , ■ ■ ■ of states corresponds to evaluating by iteration the least fixpoint 
of i? = T U Cpre{R), which is denoted in /x-calculus as fj,x.{T U Cpre{R)): this 
formula is thus a /x-calculus solution formula for reachability. Solution formu- 
las are known for general parity conditions [EJ91], and this suffices for solving 
games with respect to arbitrary w-regular properties. 

The solution formulas for the probabilistic setting can be obtained simply by 
giving a quantitative interpretation to the solution formulas of [EJ91]. In this 
quantitative interpretation, subsets of states are replaced by state valuations that 
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associate with each state a real number in the interval [0, 1]; the set operators U, 
n are replaced by the pointwise maximum and minimum operators U, □ [ReiSO, 
FH82,Koz83a,Fel83]. The operator Cpre is replaced by an operator Qpre that, 
given a state valuation /, gives the state valuation Qpre{f) associating with each 
state the maximal expectation of / that player 1 can achieve in one step. 

As an example, consider again the goal OT. Denote by x('T) the characteristic 
function of T, that assigns value 1 to states in T and value 0 to states outside 
T. We can compute the maximal probability of reaching T by letting /g = x(T) 
and, for k = 0, 1, 2, ... , by letting fk+i = x('F) U Qpre{fk)- It is not difficult 
to see that fk{s) is the maximal probability with which player 1 can reach T 
from state s. The limit of fk for k — >■ oo, which corresponds to the least fixpoint 
p,x.{x{T) LI Qpre{x)), associates with each state the maximal probability with 
which player 1 can ensure OT. As an example, in the game matchbit we have 
fo{stry) = 0 and, for A: > 0, fk{stry) = 1 — 2“^; the limit limfc_>oo 1 — 2“* = 1 is 
indeed the probability with which player 1 can ensure reaching Sgoai from Stry 
We note that the case for reachability games is in fact well known from classical 
game theory (see, e.g., [FV97]). However, this quantitative interpretation of the 
/x-calculus yields solution formulas for the complete set of w-regular properties 
[dAMOl]. Moreover, even for reachability games, the /x-calculus approach leads 
to simpler correctness arguments for the solution formula, since it is possible to 
exploit the complementation of /i-calculus and the connection between /x-calculus 
formulas and winning strategies in the construction of the arguments [dAMOl]. 



1.3 Discounted Verification and Control 

The probabilistic setting is quantitative with respect to states, but not with 
respect to traces: while state valuations are quantitative, each trace is still eva- 
luated in a boolean way: either it is in the property, or it is not. This boolean 
evaluation of traces does not enable us to specify “how well” a specification is 
met. For instance, a trace satisfies C>T as long as the set T of target states is 
reached, no matter how long it takes to reach it: no prize is placed on reaching 
T sooner than later, and even if T is reached in a much longer time than the 
reasonable life expectancy of the system, the property nevertheless holds. Furt- 
hermore, if a property does not hold, the boolean evaluation of traces does not 
provide a notion of property approximation. For example, the safety property 
□T is violated if a state outside T is ever reached: no prize is placed on staying 
in T as long as possible, and the property fails even if the system stays in T 
for an expected time much larger than the system’s own expected life time. As 
these examples illustrate, the boolean evaluation of traces is sensitive to changes 
in behavior that occur arbitrarily late: in technical terms, w-regular properties 
are not continuous in the Cantor topology, which assigns distance 2“^ to traces 
that are identical up to position fc — 1, and differ at k. Discounted control and 
verification proposes to remedy this situation by weighting events that occur 
in the near future more heavily than events that occur in the far-away future 
[dAHM03]. 
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Discounting reachability and safety properties is easy. For reachability, we 
assign the value to traces that reach the target set after k steps, for a G [ 0 , 1 ]; 
for safety, we assign the value 1 — to traces that stay in the safe set of states for 
k steps. For more complex temporal-logic properties, however, many discounting 
schemes are possible. For example, a Biichi property DOi? consists of all the 
traces that visit a subset B of states infinitely many times [MP91]. We can 
discount the property DOS in several ways: on the basis of the time required to 
reach B, or on the basis of the number of visits to B, or on the basis of some more 
complex criterion (for instance, the time required to visit B twice). On the other 
hand, the predecessor operators of the ^-calculus provide a natural locus for 
discounting the next-step future. Discounted /x-calculus replaces Qpre with two 
discounted versions, aQpre and (1 — a) -I- aQpre, where a € [0, 1] is a discount 
factor. Using these operators, we can write the solution to discounted reachability 
games as (f>a-reach = U aQpre{x), and the solution to discounted safety 

games as (j)a-safety = vx.{x{T) n (1 - a) -I- aQpre{x)). 

We propose to use discounted ^-calculus as the common basis for the speci- 
fication, verification, and control of discounted properties. We define discounted 
properties as the linear semantics of formulas of the discounted /x-calculus. The 
resulting setting is continuous in the Cantor topology, and provides notions of 
satisfaction quality and approximation for linear properties. 

1.4 Linear and Branching Semantics for the /x- Calculus 

Given a formula (f> of the /x-calculus, we can associate a linear semantics to (j> 
by evaluating it on linear traces, and by taking the value on the first state. 
This linear semantics is often, but not always, related to the evaluation of the 
formula on the game, which we call the branching semantics. As an example, 
if we evaluate the fixpoint ipreach = lxx.{T U Cpre{R)) on a trace Sq: Sij S 2 , ■ ■ ■ , 
we have that sq G <preach if there is fc G N such that Sk G T. Hence, the linear 
semantics of (preach, denoted coincides with OT, In this case, we 

have that the formula (preach, evaluated on a game, returns exactly the states 
from which player 1 can ensure [(preach^'^'^^ ■ This connection does not hold for all 
formulas. For example, consider the formula i/' = p,x .{Cpre{x)\Jvy .{TC\Cpre{y))) . 
If we evaluate this formula on a trace sq, si, S 2 , . . . , we can show that Sk G 
vy.(T n Cpre{y)) iff we have Sj G T for all j > k. Hence, we have sq G tp iS there 
is /c G N such that sj G T for all j > k: in other words, the linear semantics 
|-. 0 jbiin coincides with the co-Biichi property OOT [Tho90]. On the other hand, 
the formula (p, evaluated on a game, does not correspond to the states from 
which player 1 can ensure OOT (see Example 1 in Sect. 3). 

In the boolean setting, the linear and branching semantics are related for 
all strongly deterministic formulas [dAHMOla], a set of formulas that includes 
the solution formulas for games with respect to w-regular properties [EJ91]. We 
show that this correspondence carries through to the probabilistic and discounted 
settings. Indeed, in both the probabilistic and the discounted settings, we show 
that the values computed by strongly deterministic formulas is equal to the 
maximal expectation of their linear semantics that player 1 can ensure. 
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In the discounted setting, the linear semantics of discounted /x-calculus pro- 
vides the specification language, and the branching semantics provides the ve- 
rification algorithms. For example, the value of the discounted formula (j)a-reach 
on the first state of a trace sq, si, S 2 , . . . is a^, where k = min{j G N | G T}. 
Hence, the linear semantics [4>a-reach\^^™°‘ associates the value to traces that 
reach T in k steps. The same formula 4>a-reach, evaluated on a game, yields 
the maximum value of [(j)a-reach]^^™'^ that player 1 can achieve. Similarly, the 
value of 4>a-safety On the first state of a trace So,Si,S 2 ,... is 1 — where 
k = min{j G N | ^ T}. Hence, the linear semantics associates 

the value 1 — to traces that stay in T for k steps. The same formula ipa-safety, 
evaluated on a game, yields the maximum value of that player 1 

can achieve. Again, this correspondence holds for a set of formulas that includes 
the solution formulas of games with parity conditions. 

1.5 Quantitative Equivalence Relations 

The frameworks for probabilistic and discounted verification are complemen- 
ted by quantitative equivalence relations [HK97,DGJP99,vBW01b]. We show 
that, just as CTL and CTL* characterize ordinary bisimulation [Mil90], so pro- 
babilistic and discounted /r-calculus characterize probabilistic and discounted 
bisimulation [dAHM03]. 

Credits. This paper is based on joint work with Thomas A. Henzinger and Rupak 
Majumdar on the connection between games, /x-calculus, and linear properties 
[dAHM01a,dAM01,dAHM03]. I would like to thank Marco Faella, Rupak Ma- 
jumdar, Marielle Stoelinga, and an anonymous reviewer for reading a preliminary 
version of this work and for providing many helpful comments and suggestions. 

2 Preliminaries 

2.1 The /X- Calculus 

Syntax. Let V he a, set of predicate symbols, V be a set of variables, and 
be a set of function symbols. The formulas of /r-calculus are generated by the 
grammar 

(j) ::= p \ X \ ^(j) \ (j)V (j) \ (j> A (j) \ f{(j>) \ px.<j) \ vx.(j), (1) 

for predicates p € V, variables x, and functions / G iF. In the two quantifications 
px.(j) and vx.ff), we require that all occurrences of cc in ^ have even polarity, that 
is, they occur in the scope of an even number of negations (-■). We assume that for 
each function / G iF there is dual function Dual(/) G T, with Dual(Dual(/)) = 
/. Given a closed formula <f> of /r-calculus, the following transformations enable 
us to push all negations to the predicates: 



V <p2) ^ F {-'4'2) 


-<{px.(j)) ^ vx.-'(j)[-'x/x] 


(2) 


“'(</'! A 4>2) ^ V (~'</'2) 


-<{vx.(j)) ^ fix .-<(1)[-<X / x] 


(3) 


-./((/)) Dual(/) (-.(/)), 




(4) 
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where <f>[-<x/x\ denotes the formula in which all free occurrences of x are replaced 
by -<x. We will be particularly interested in the of formulas in EJ-form. These 
formulas take their name from the authors of [EJ91], where it was shown that 
they suffice for solving turn-based games; as we will see, these formulas can be 
uniformly used for solving boolean, probabilistic, and discounted control pro- 
blems with respect to parity conditions. For f G E, a, formula </> is in EJ-form if 
it can be written as 



4> ::= JnXn-Jn-lXn-l ' ‘ ‘ loXo- \/ (Xi ^ fix^)), 

i=0 

X ::=P I “'X I XVx I XAx, 

where for 0 < i < n, we have Xi G V, and where f G T and p G V. For 
0 < i < n, the fixpoint quantifier ji is if t is even, and is /r if t is odd. A 
fixpoint formula (j) is in strongly deterministic form [dAHMOla] iff 4> consists of 
a string of fixpoint quantifiers followed by a quantifier-free part if generated by 
the following grammar: 

tf ::= p I -.p I V” I pA I -■pA'i/' I /(x), 

X ::= a; I X V X. 



Semantics. The semantics of p-calculus is defined in terms of lattices. A lattice 
L = {E, consists of a set E of elements and of a partial order ^ over E, such 
that every pair of elements V\,V 2 G E has a unique greatest lower bound v\ □ V 2 
and least upper bound v\Uv 2 . A lattice is complete if every (not necessarily finite) 
non-empty subset of E has a greatest lower bound and a least upper bound 
in E. A value lattice is a complete lattice together with a negation operator 
satisfying = v for all v G E, and ~nif' = U{ I V G E'} for all 
E' C E [Ros90, chapter 6]. A p-calculus interpretation (L, |-]) consists of a 
value lattice L = (A, and of an interpretation |-] that maps every predicate 
p G P to a lattice element |p] G E, and that maps every function f G E to 
a function |/] G {E E). We require that for att f G E and all v G E, we 
have ~|/](f) = |Dual(/)] (~f). A variable environment is a function e\V E 
that associates a lattice element e(x) G E to each variable x G V. For x G V, 
V G E, and a variable environment e, we denote by e[x := n] the variable 
environment defined by e[x := = v, and e[x := v]{y) = e{y) for x ^ y. 

Given an interpretation I = (L, |-]), and a variable environment e, every p- 
calculus formula (f specifies a lattice element G E, defined inductively as 
follows, tor p gP, f G E, and x GV: 



{Pfe = M 
hple = 

Me = e{x) 

ume = I/KM?) 



M V (^2l? = I</>l]? U l(j)2j^ 
M A (j)2le = bl]? n l(j)2j^ 

Ipx.f)}^ = n{vGE\v= 

Ivx.f)}^ = U{vGE\v= 
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All right-hand-side (semantic) operations are performed over the value lattice 
L. It is easy to show that if 0 0' by (2)-(4), then A /r-calculus 

formula (j) is closed if all its variables are bound by one of the ^ or v fixpoint 
quantifiers. If (j) is closed, then the value does not depend on e, and we 
write simply |<()]^. 



2.2 Game Structures 

We develop the theory for stochastic game structures. For a finite set A, we 
denote by Distr(A) the set of probability distributions over A. A (two-player 
stochastic) game structure Q = (S,M,ri,r 2 ,S) consists of the following com- 
ponents [AHK02,dAHK98]: 

~ A finite set S of states. 

— A finite set Ai of moves. 

~ Two move assignments A, A 2 : S 1— 2^ \ 0. For i G {1,2}, the assignment 
A associates with each state s G S the nonempty set A(s) C AI of moves 
available to player i at state s. 

— A probabilistic transition function S: S x A4^ >—>■ Distr(S'), that gives the 
probability S(s, ai, a 2 )(t) of a transition from s to t when player 1 plays 
move ai and player 2 plays move 02 . 

At every state s G S, player 1 chooses a move ai G A(s), and simultaneously and 
independently player 2 chooses a move 02 G A (s) . The game then proceeds to the 
successor state t G S' with probability S(s, oi, a 2 )(t). We denote by r(s, oi, 02 ) = 
{t S A I <5(s, Oi, 02 )(t) > 0} the set of destination states when actions 01,02 are 
chosen at s. In general, the players can randomize their choice of moves at a 
state. We denote by Vi{s) C Distr(AI) the set of move distributions available to 
player t G (1, 2} at s G S', defined by 

T>i{s) = 1C G Distr(AI) | C(a) > 0 implies a G A(s)|. 

For s G S and Ci G T’i(s), C 2 G T^ 2 {s), we denote by 5(s, Ci,A) the next-state 
probability distribution, defined for alH G S by 

d(s, 0 i, 02 )(t) Cl(ai) C 2 (o 2 ). 

oieA(s) a2sr2(s) 



A (randomized) strategy for player i G {1,2} is a mapping : S’*" 1— >■ 
Distr(AI) that associates with every sequence of states s G S+ the move distri- 
bution 7rj(s) used by player i when the past history of the game is s; we require 
that 7Ti(ss) G T>i(s) for all s G S* and s G S. We indicate with Ui the set of all 
strategies for player i G {1,2}. 

Given an initial state s G S and two strategies tti G Ui and 7T2 G II 2 , 
we define the set Outcomes{s, tti, 712 ) C S“ to consist of all the sequences of 
states so,si,S 2 ,... such that sq = s and such that for all /c > 0 there are 
moves Oi, 02 G Ai such that 7 Ti(so, . . . , Sfe)(oi) > 0, 7T2 (so, . . . , Sfc)(o 2 ) > 0, and 
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Sfc+i G r(sfe,aj,a 2 ). Given a trace a = so,si,S 2 ,... G we denote by ak its 
fc-th state Sk- 

An initial state s € S and two strategies tti G IIi and 7T2 G II 2 uniquely 
determine a stochastic process (S'“, 17, where 17 C is the set of 
measurable sets, and where : 12 >->• [0,1] assigns a probability to each 

measurable set [KSK66,FV97]. In particular, for a measurable set of traces A G 
17, we denote by Pr^'^’’^^(A) the probability that the game follows a trace in 
A, and given a measurable function / : 5'“ 1 — IR, we denote by the 

expectation of / in (5“, 17, Pr^^’’^^). 

We denote hy Sg, Mg, , and 6g the individual components of a game 

structure G- 

Special Classes of Game Structures. Transition systems, turn-based games, and 
Markov decision processes are special cases of deterministic game structures. 
A game structure G is deterministic if for all states s,t G Sg and all moves 
01,02 G Mg we have 5g{s,ai,a2){t) G {0,1}. The structure G is turn-based if 
at every state at most one player can choose among multiple moves; that is, 
if for all states s G Sg, there exists at most one i G {1,2} with |/]f(s)| > 1. 
The turn-based deterministic game structures coincide with the games of [BL69, 
Con92,Tho95j. For i G {1,2}, the structure G is player-i if at every state only 
player i can choose among multiple moves; that is, if |T^_j(s)| = 1 for all states 
s € S. Player-1 and player-2 structures (called collectively one-player structures) 
coincide with Markov decision processes [Der70j. The player-z deterministic game 
structures coincide with transition systems: in every state, each available move 
of player i determines a unique successor state. 

3 Boolean Verification and Control 

Given a game structure G = {S,M,Fi,F 2 ,S), a linear property of t/ is a subset 
C of its state sequences. Given a linear property F C S'^ , we let 

{\)'gF = {s G S' I 37 Ti G 7Ti.V7r2 G Il2.0utcomes{s,Tri,Tr2) C F} (5) 

{2)gF= {s G S I 3tt2 G 7T2.V7ri G F[ i. Outcomes { s,tt 1 ,^ 2 ) C F}. (6) 

The set {l)gF is the set of states from which player 1 can ensure that the game 
outcome is in F; the set {2)gF is the symmetrically defined set for player 2. 
We consider the control problems of computing the sets (5) and (6). We note 
that for player-1 deterministic game structures, computing (5) corresponds to 
solving the existential verification problem “is there a trace in FT’’ , and for 
player-2 game structures computing (5) corresponds to solving the universal ve- 
rification problem “are all traces in ^?” . We review the well-known solution of 
these control problems for the case in which ^ is a reachability property, a safety 
property, and a parity property. For a subset T C S' of states, the safety property 
□T = {so, si, S 2 , . . . G S“ I Vfc.Sfc G T} consists of all traces that stay always in 

T, and the reachability property <>T = {sq, si, S 2 , ■ • ■ G S“ | 3k. Sk G T} consists 
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of all traces that contain a state in T. Consider any tuple A = (Ti, T 2 , . . . , T^) 
such that Ti, T 2 , . . . , form a partition of S into m > 0 mutually disjoint sub- 
sets. Given a trace a = So> Sij S 2 , ■ • ■ G >5'“, we denote by Index {a, A) the largest 
i € {1, • ■ ■ ,rn} such that Sk G Ti for infinitely many fc G N. Then, the parity 
property Parity{A) is defined as Parity{A) = {cr G | Index{a,A) is even}. 
The relevance of parity properties is due to the fact that any w-regular property 
can be specified with a deterministic automaton with a parity accepting condi- 
tion [Tho90]. Hence, we can transform any verification problem with respect to 
an w-regular condition into a verification problem with respect to a parity con- 
dition by means of a simple automaton product construction (see for instance 
[dAHMOla]). 



3.1 Boolean /x-Calculus 

For all three classes of properties (safety, reachability, and parity), the solu- 
tion of the boolean control problems (5)-(6) can be written in y^-calculus inter- 
preted over the lattice of subsets of states. Precisely, given a set S of states, 
the set BAiCs of boolean yi-calculus formulas consists of all /i-calculus formu- 
las defined over the set of predicates Vs = 2‘® and the set of functions Vb = 
{prC]^, prc 2 , dpre 2 |, where Dual(pre]^) = dprei and Dual(pre 2 ) = dpre 2 - 
Given a game structure G = (S', Ad, A, G 2 , <5), we interpret the formulas of BMCs 
over the lattice L(2‘^, C) of subsets of S, ordered according to set inclusion. Ne- 
gation is set complementation: for all T C S, we let ~T = S\T. The predicates 
are interpreted as themselves: for all p G V, we let |p]^ = p. The functions pre^, 
dprei, pre 2 , and dpre 2 are called predecessor operators, and they are interpreted 
as follows: 

b’’eJg(A) = {s G S \ 3aiG ri(s).Vo 2 G r 2 (s).r(s, oi, 02 ) C X} (7) 

ldpre-ilg{X) = {s G S I Voi G ri(s).3a2 G T 2 (s).t(s, oi, 02 ) n A yf 0} (8) 

lP'^e 2 lg{X) = {s G S I 3 o 2 G r 2 (s).Vai G A(s)-t(s, Oi, 02 ) C X} (9) 

\dpre 2 \'g{X) = {s G S I Va 2 G r2(s).3ai G A(s).r(s, oi, 02 ) fl A 0}. (10) 

Intuitively, |pre]^]g(A) is the set of states from which player 1 can force a transi- 
tion to X in G, and \dpre^{X) is the set of states from which player 1 is unable 
to avoid a transition to X in G- The functions prc 2 and dprc 2 are interpreted 
symmetrically. We denote by bin{G) = (L(2‘^,C), |-]g) the resulting interpreta- 
tion for /r-calculus. For a closed formula (j) G BMCs, we write \4>\g rather than 
omit G when clear from the context. For a game G, a subset 
T C Sg oi states and player i G {1, 2}, we have then 

{i)gOT = lnx.{T V pre,{x))]'^. (11) 

This formula can be understood by considering its iterative computation: we 
have that |/ra:.(T V prei{x))\g = limfc_>ooAfc, where Aq = 0 and, for A: G N, 
where Xk+i = TU |preJg(Afc): it is easy to show by induction that the set that 
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Xk consists of the states of S from which player i can force the game to T in 
at most k steps. The equation (11) then follows by taking the limit fc — f oo. 
Similarly, for safety properties we have, for i G {1,2}: 

{i)gUT = \vx.{T A pre,{x))]'^. (12) 

Again, to understand this formula it helps to consider its iterative computation. 
We have \vx.{T t\prei{x)y^ = limfc_>oo Xk, where Xq = S and, for fc G N, where 
Xk+i = T r\\pre^{Xk)', it is easy to see that Xk consists of the states of Q from 
which player 1 can guarantee that the game stays in T for at least k steps. The 
equation (12) then follows by taking the limit fc — >■ oo. The solution of control 
and verification problems for parity properties is given by the following result. 

Theorem 1. [EJ91] For all game structures Q, all partitions (Ti,T 2 , . . . ,Tm) 
of Sg, and all i G {1,2}, we have 

m 

{i)gParity{{Ti, . . . ,T^)) = ■■■ lixi- \/ {Tj A prefix j))jg (13) 

i=i 

Given an EJ-form ^-calculus formula <f> = 'AmXm ' ‘ ‘ liXi- ^ pxei{xj)), 

we define the parity property PtyOf{4>) corresponding to (j) by PtyOf{4>) = 
Parity{{Ti, . . . ,Tm))- With this notation, we can restate (13) as follows. 

Corollary 1. For all game structures Q, all i G {1,2} and all closed EJ-form 
pL-calculus formulas (p G BAiCsg containing only the function symbol pre^, we 
have {i)'^PtyOf{4>) = 

Lack of Determinacy. In boolean ^-calculus, the operators and prc 2 are 
not the dual one of the other. This implies that boolean control problems are 
not determined: for C 5“, the equality S'\(l)g<? = (2)^(5'“ \^) does not hold 
for all game structures G and all properties <L. Intuitively, the fact that player 1 
is unable to ensure the control goal <P does not entail that player 2 is able to 
ensure the control goal -'<P. For example, there are game structures G where for 
some T C Sg we have 

'S's \ ((l)sOT) = |-./xa:.(rVprei(x))]^ = liyx.{--T A dpre^{x))j^ 
yf Ivxf^T Apre2{x))jg = (2)gD(-.T). 

An example is the game structure matchbit: as explained in the introduction 
we have Stry ^ (l)'^0{sgooi}; on the other hand, it can be easily seen that 

^try ^ (2) □{Si^.y}. 



3.2 The Linear Semantics of Boolean /x-Calculus 

Theorem 1 establishes a basic connection between linear parity properties and 
verification algorithms expressed in /x-calculus. Here, we shall develop a connec- 
tion between linear properties expressed in fx-calculus, and their verification al- 
gorithms also expressed in /i-calculus. To this end, we provide a linear semantics 
for /i-calculus, obtained by evaluating /r-calculus on linear traces. 
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A trace a £ gives rise to an interpretation 2^ = (L(2'*^,C), |-]^) for /x- 
calculus, where L(2^, C) is the lattice of subsets of natural numbers ordered 
according to set inclusion, and where all predicates p € 2^ are interpreted as the 
sets of indices of states inp, i.e., |p]J^ = {fc G N | Cfc G p}. The definitions (7)-(10) 
can be simplified, since every location of the trace has a single successor: for all 
i G {1, 2} and all A C N we let |preJ^(A) = Idpre^f^(X) = {fc G N | k+1 G X}. 
We define the boolean linear semantics over the set of states A of a closed 

/x-calculus formula (f) G BMCg to consist of all traces whose first state is in the 
semantics of (j): specifically, = {ct G 5'“ | cto G In contrast, we 

call the semantics defined over a game structure Q the branching semantics 
of the /x-calculus formula (j). The following lemma states that for formulas in 
EJ-form, the parity property corresponding to the formula coincides with the 
linear semantics of the formula. 

Lemma 1. For all sets of states S, all i G {1,2} and all closed EJ-form pL- 
calculus formulas 4> G BAiCs containing only the function symbol pre^, we have 
PtyOficf) = 

This leads easily to the following result, which relates the linear and branching 
semantics of EJ-form formulas. 

Corollary 2 . For all game structures Q, all i G {1,2} and all closed EJ-form 
pL-calculus formulas (f G BJACsg containing only the function symbol pre^, we 
have {effg = {i)'°gPtyOf{<f) = . 

In fact, the relationship between the linear and branching semantics holds for 
all /x-calculus formulas in strongly deterministic form. 

Theorem 2 . [dAHMOla] For all game structures Q, all closed p-calculus for- 
mulas <f> G BAiCsg, and all players i G {1,2}, if (p is in strongly deterministic 
form and contains only the function symbol prCi, then \4>\'g = • 

We will see that the linear and branching semantics of strongly deterministic 
(and in particular, EJ-form) formulas are related in all the settings considered 
in this paper, namely, in the boolean, probabilistic, and discounted settings. 
The linear and branching semantics of formulas are not always related, as the 
following example demonstrates. 

Example 1. [dAHMOla] Consider the formula (p = pLX.{prei{x) V vy.{B A 
prci{y))), where H C S' is a set of states. The linear semantics consists of 

all the traces ct = sq, si, S 2 , . . . for which there is a A: G N such that Si G B for all 
i > k, that is, of all the traces that eventually enter B, and never leave it again; 
using temporal-logic notation, we indicate this set of traces by [OnSjs. In fact, 
we have Sk G lny.{B A prei{y))J^'^ only if G H for all i > k, and we have that 
So G iff there is fc G N such that Sk G li'yfB A prci{y))f^‘’ . However, con- 

sider a deterministic player-2 structure G = {S, A4, Ei, E 2 ,S) with S = {s,t,u}, 
A1 = {a, 6,*}, and l 2 (s) = {a, 6}, l 2 (t) = / 2 (rt) = {a}, and transition relation 
given by r(s, •, a) = {s}, r(s, •, b) = {t}, r(t, •, a) = {u}, t(u, •, a) = {u}, where 
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• is the single move available to player 1. For B = {s,tt} it is easy to see that 
(l)b[(/)]“ins = (l)b[onS]blins = {s,t,u}, while |0]^ = {t,u}. I 

In [dAHMOla], it is shown that in general the linear and branching semantics of 
/t-calculus formulas are related on all game structures iff they are related on all 
player-1 and all player-2 game structures. 



4 Probabilistic Verification and Control 

The boolean control problem asks whether a player can guarantee that all ou- 
tcomes are in a desired linear property. The probabilistic control problem asks 
what is the maximal probability with which a player can guarantee that the out- 
come of the game belongs to the desired linear property. Given a game structure 
G = (•S', At, Ti, l 2 , (5) and a property <P C 5'“, we consider the two probabilistic 
control problems consisting in computing the functions : .S' i— >■ [0, 1] 

defined by: 



(l)P^ = As G ,S. sup inf Pr^^’'"'^(^) (14) 

iriG77i ^ 2^112 

{2)1<P = Xs e S. snp inf (15) 

where As G *S./(s) is the usual A-calculus notation for a function that maps each 
s € S into /(s). 



4.1 Probabilistic /x- Calculus 

For the case in which ^ is a reachability, safety, or parity property, we can com- 
pute the functions (14), (15) using a probabilistic interpretation of /x-calculus 
[dAMOl]. Precisely, given a set S of states, the set VMCs of probabilistic 
fi- calculus formulas consists of all /x-calculus formulas defined over the set 
of predicates Vs = 2‘® and the set of functions Vq = {prei,pre 2 }, where 
Dua^pre^) = pre 2 - Given a game structure G = (•S', At, A, A 2 , <5), we interpret 
these formulas over the lattice L(S' i-f [0, 1], <) of functions S i-f [0, 1], ordered 
pointwise: for /, g : S' >->• [0, 1] and s G S, we have (/ U g){s) = max{/(s), g(s)} 
and (/ n g){s) = min{/(s), g(s)}. Negation is defined by ~/ = As G S.l — /(s). 
The predicates are interpreted as characteristic functions: for all p G Vs, we 
|p]g = x{p), where x{p) is defined for all s G S by x(_p)(s) = 1 if s G p, 
and y(p)(s) = 0 otherwise. The interpretations of pre, and prcn are defined as 
follows, for A : S [0, 1]: 

breJg(A) = As G S. sup inf Eo(A|s,Ci,C 2 ) (16) 

Cie-Di(s) C2SI>2(s) 

lpre 2 lg{X) = Xs € S. sup inf Eo(A | s, Ci, C 2 ) 

C2GI>2(s) CiGI>i(s) 



(17) 
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where Eo(X | s, (1,(2) = Ci) C2)(i) -^(i) is the next-step expectation of 

X, given that player 1 and player 2 choose their moves according to distributions 
Cl and ( 2 , respectively. Intuitively, |prei]g(X) is the function that associates 
with each s G X the maximal expectation of X that player 1 can achieve in one 
step. In particular, for T C S, |preJg(x(T)) is the maximal probability with 
which player i can force a transition to T in one step. We note that, unlike in the 
boolean case, in probabilistic /i-calculus the operators pre^ and pre 2 are dual, so 
that the calculus requires only two predecessor operators, rather than four. The 
duality follows directly from the minimax theorem [vN28]: for all AT : S' 1 — [0, 1] 
and all s G S, we have 

1 - b’’eJg(A:)(s) = 1 -sup^^gx,^(,) inf(;,gx,,(s) Eo(A: | s, Ci, C 2 ) 

= infciGCiW 1 -Eo(A: I s,Ci,C2) 

= suP(^ 26 X> 2 W infciei>i(s) Eo(~A: I s,Ci,C2) 

= lpre2lgi^X){s). 

We denote by prb{Q) = (L(S !->■ [0, 1], <), I'Jg) the resulting interpretation for 
/x-calculus. For a closed formula 4) G BMCs, we write |(/)]g rather than 
and we omit Q when clear from the context. The solutions to probabilistic control 
problems with respect to reachability, safety, and parity properties can then be 
written in /r-calculus as stated by the following theorem. 

Theorem 3. [dAMOl] For all game structures Q, all i G {1,2}, all T C Sg 
and all partitions A = {Ti,T 2 , . . . , Tm) of Sg, we have: 

{i)gOT = \fx\T V preiix))}^ (18) 

(i)PnT = Ii 2 x.{T a pre,(x))j^ (19) 

m 

{i)^Parity{{Ti,... ,Tjn)) = IjmXm - ■ ■ {T^ A pre^ixi))}^. (20) 

i=l 

The above solution formulas are the analogous to (11), (12), and (13), even 
though the proof of their correctness requires different arguments. The argument 
for reachability games is as follows. The fixpoint (18) can be computed iteratively 
by liJ,x.(T V prej^{x))lg = limfc_,.ooWfc, where Xq = As.O and, for A: G N, where 
Xk+i = x(T) U \pre^\^{Xk)■ It is then easy to show by induction that Xk(s) 
is the maximal probability with which player i can reach T from s G S' in at 
most k steps. In fact, (18) is simply a restatement in /x-calculus of the well- 
known fixpoint characterization of the solution of positive stochastic games (see, 
e.g., [FV97]). The solution (19) can also be understood in terms of the iterative 
evaluation of the fixpoint. We have lvx.{T A pr6j(x))]g = Yarik^aoXk, where 
Ao = As.l, and for x G N, where = x{T') n \prefj^{Xk). It can be shown 
by induction that Afc(s) is equal to the maximal probability of staying in T for 
at least k steps that player i can achieve from s G S. The detailed arguments 
can be found in [dAMOl]. 
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We note that on deterministic turn-based structures (and their special cases, 
such as transition systems), the boolean and probabilistic control problems are 
equivalent, as are the boolean and probabilistic y^-calculi. Indeed, for all deter- 
ministic turn-based game structures G with set of states S, and for all properties 
C S'“, all i G {1,2}, and all closed y^-calculus formulas (j) containing only 
functions and pre 2 , we have that x((*)g^) = and x([0le) = I0]g- 

Determinacy. As a consequence of the duality between the pre^ and pre 2 opera- 
tors, probabilistic control problems are determined, unlike their boolean coun- 
terparts: in particular, [Mar98] proves that for all games G, all sets (p C Sg in 
the Borel hierarchy, and all s G Sg, we have 1 — (l)gf^(s) = (2)^(5'“ \ ^)(s). 
While the proof of this result requires advanced arguments, the case in which 
is a parity property follows elementarily from our y:i-calculus solution for- 
mula (20), and from the duality of pre^ and pre 2 - In fact, consider a partition 
A = (Ti,T 2 , . . . ,Tm) of S. Letting C/i = 0 and Ui+i = for 1 < i < m, we 
have: 

1 - {^)gPO'rity{{Ti, . . . ,Tm)) = 1 - {imXm ■ ' ■ A pre-^{xj))fg 

= llm+lXm - ■ ■ Apre2{Xj))jl 

= {‘^)gParity{{Ui, , Um+i)) 

= {2)1{S‘^\ Parity {{T^,... ,Tra))). 



4.2 The Linear Semantics of Probabilistic /x-Calculus 

The solution (20) of parity control problems can be restated as follows. For player 
i G {1, 2}, all game structures G, and all EJ-form formulas (j) containing only the 
function symbol pre^, we have \4>\'g = {i)gPtyOf{4>). Using Lemma 1, we can 
therefore relate the linear and branching semantics of (j) as follows. 

Theorem 4. For all game structures G, all i G (1, 2}, and all closed p,-calculus 
formulas 6 G VAiCsr ixL EJ-form containing only the function symbol prCj, we 
have that |</)lg = . 

This theorem relates the branching semantics \4>\^ of prohahilistic /r-calculus 
with the linear semantics of boolean y:i-calculus. In order to relate bran- 

ching and linear semantics of probabilistic /r-calculus, we define a probabilistic 
linear semantics q£ probabilistic /x-calculus. 

A trace cr G 5“ gives rise to an interpretation Iff = (L(iV [0, 1], <), I-Jp) 
for y:i-calculus, where (L(A^ i-G- [0,1], <) is the lattice of functions N i-G- {0,1} 
ordered pointwise, where a predicate p G 2'^ is interpreted as its characteristic 
function, i.e., for all fc > 0 we have |p]P(fc) = 1 if CTfc G p, and |p]P(fc) = 0 if 
CTfe ^ p. Similarly to the boolean case, the definitions (16)-(17) can be simplified, 
since every state of the trace has a single successor. For all A : N i— >■ [0, 1] and 
i G {1,2} we let |prejP(A) = Xk.X{k 1). Given a closed p-calculus formula 
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4> G VAiCs, we define the probabilistic linear semantics : 5'“ i— >■ [0, 1] 

of 4> over the set of states S by taking the value of </> over the first state of the 
trace: specifically, we let (cr) = 

In the definitions (14), (15) of the probabilistic control and verification pro- 
blems, the property ^ is a set of traces. To complete our connection with the 
probabilistic linear semantics we need to define a probabilistic version 

of these problems. Let /i : 5'“ i— >■ [0, 1] be a function that is measurable in the 
probability space (5‘^, 1?, Pr^^’’^^), for all tti G Ui and 7T2 G 7T2. We define: 

(l)^/r = As G S' . sup inf E^i’’"^(/i) 

TTlSUi '^ 26^72 

{2)‘^h = XsGS. sup inf 

7r2GTl2 

The relationship between the probabilistic linear and branching semantics is then 
expressed by the following theorem. 

Theorem 5. For all game structure Q, all i G {1, 2}, and all closed pL-calculus 
formulas (j) G VAiCg in strongly deterministic form and containing only the 
function symbol pre^, we have that • 

For player 1, the above theorem states that for all s G Sg, 

^P(s)= sup inf Er’-^([<(.]P'“%). (21) 

TTieUi 

This equation can be read as follows: the value of a control ^-calculus formula 
|(()]g is equal to the maximal expectation that player 1 can guarantee for the same 
formula, evaluated on linear traces. The theorem relates not only the branching 
and the linear probabilistic semantics, but also a global optimization problem to 
a local one. In (21) the right-hand side represents a global optimization problem: 
player 1 is trying to maximize the value of the function [(()]p*'"® over traces, and 
player 2 is trying to oppose this. On the left-hand side, on the other hand, the 
optimization is local, being performed through the evaluation of the operator 
Iprcilg at all states of G- 

5 Discounted Verification and Control 

In the boolean and probabilistic settings, properties are specified as w-regular 
languages, and algorithms are encoded as fixpoint expressions in the ^-calculus. 
The main theorems, such as Theorem 1 and Theorem 3, express the relationship 
between the properties and the ^-calculus fixpoints that solve the verification 
and control problems. The correspondence between the branching and linear 
semantics serves mainly to clarify the relationship between the local optimiza- 
tion that takes place in the branching semantics, and the global optimization 
that takes place in the linear semantics. In the discounted setting, on the other 
hand, we choose not have an independent notion of discounted property: rather. 
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discounted properties are specified by the linear semantics of formulas of the 
discounted /i-calculus. The main results for the discounted setting concern thus 
the relationship between the linear semantics (used to express properties) and 
the branching semantics (which represents algorithms) of discounted ^-calculus, 
as well as the relationship between the discounted setting and the undiscounted 
one. As both properties and algorithms are defined in terms of the ^-calculus, 
we begin by introducing discounted /x-calculus. 

5.1 Discounted /x- Calculus 

Given a set S of states and a set T of discount factors, the set T>MCs,r of 
discounted ^-calculus formulas consists of all the formulas defined over the set 
of predicates Ps = 2'^ and the set of functions 

Pr = { ctprCi, (1 — a) -I- apre^ | i G {1, 2}, a G T}, 

where Dual(aprej^) = (1 — a) -I- aprc 2 and Dual(apre 2 ) = (1 — a) -I- aprci- 
As in the probabilistic case, given a game structure Q = (S', Al, A, Tj, 5), we 
interpret these formulas over the lattice L(S i-f [0, 1], <) of functions S !->■ [0, 1], 
ordered pointwise. Again, we define negation by ~/ = As G S.l — /(s). The 
interpretation of predicates and functions is parameterized by a discount factor 
interpretation ?7 : T i— >■ [0, 1], that assigns to each discount factor a G T its value 
77 (a) G [0, 1]. As in the probabilistic semantics, we interpret the predicates p & P 
as their characteristic function, i.e., = x{p)- For all 77 G (T >->• [0,1]) and 

all i G {1, 2}, we let: 

hprCilg^rtW = As G S. 77 (a)|preJ^(A)(s) (22) 

1(1 - a) -h aprejg ,,(A) = As G S.(l - 77 (a)) -h 77 (a)|preJg(A)(s). (23) 

Thus, the discounted interpretation of apre^ is equal to the probabilistic in- 
terpretation of prCj, discounted by a factor a; the discounted interpretation of 
(1 — a) -I- aprCj is equal to the probabilistic interpretation of pre^, discounted by 
a factor of a, and with 1 — a added to it. We denote by disc{G,ri) = (L(S' >->• 
[ 0 , 1 ], <), I'lg^,,) the resulting semantics for the /r-calculus, and we write 
for omitting G when clear from the context. 

While (22) is the expected definition, (23) requires some justification. Con- 
sider a game structure G = (S', First, notice that this definition 
ensures that prei and (1 — a) -I- apre 2 are dual: in fact, for s G S we have 

1 - |apreJ^(A)(s) = 1 - ? 7 (a)|preJP(A)(s) 

= 1 - 77 (a) -h 77 (a) - 77 (a)|preJP(A)(s) 

= (1 - 77 (a)) -h 77 (a) [1 - |pre JP(A)(s)] 

= (1 - 77 (a)) -h 77 (a)| 77 re 2 lP(~A)(s) 

= 1(1 - a) + a?7re2l^(~A)(s). 
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The definitions (22) and (23) can also be justified by showing how the resulting 
predecessor operators can be used to solve discounted reachability and safety 
games in a way analogous to (18) and (19). Let T C S' be a set of target states, 
and fix a player i € {1,2}. Consider a discounted reachability game, in which 
player i gets the payoff r]{a)^ when the target T is reached after k steps, and the 
payoff 0 if T is not reached. The maximum payoff that player i can guarantee is 
given by 

l^ix.{T\/ aprei{x))Y^. (24) 

As an example, consider again the game matchbit, along with the formula 
\y.x.{{sgoai) V apre^{x))\'^, and let r = rj{a). Let Aq = As.O and, for A: G N, let 
Xk+i = xdsgoQj}) U |apre J^(Afc). We can verify that Ao(stry) = 0, Xi{stry) = 
r(i • 0 + i • 1) = §, X 2 {stry) = r(i • § + i • 1) = § + ^^, and limfe_,.oo Xk{stry) = 
r/(2 -r) = liJ.x.{{sgoai} V apre,_{x))Y^{stry)- 

Consider now a discounted safety game, in which player i gets the payoff 
1 — r]{a)^ if the game stays in T for k consecutive steps, and the payoff 1 if T is 
never left. The maximum payoff that player i can guarantee is given by 

liyx.{T A{l-a) + aprei{x))j'^. (25) 

Indeed, one can verify that for all s G S, we have 

1 - |/xx.(TV aprei(a:))]^(s) = |ra.(-.T A (1 - a) + apre 2 (a;))]^(s) (26) 

indicating that the payoff player 1 can guarantee in a discounted T-reachability 
game is equal to 1 minus the payoff that player 2 can guarantee for the discounted 
-■T-safety game. 

Above, we have informally introduced discounted reachability and safety ga- 
mes in terms of payoffs associated with the traces. How are these payoffs defined, 
for more general goals? And what is the precise definition of the games that (24) 
and (25) solve? To answer these questions, we introduce the linear semantics 
of discounted y^-calculus, and we once more relate the linear semantics to the 
branching one. 

5.2 The Linear Semantics of Discounted /x-Calculus 

A discounted property is the interpretation of a discounted /r-calculus formula 
over linear traces. Similarly to the probabilistic case, the linear semantics of 
discounted /i-calculus associates with each trace a number in the interval [0, 1] 
obtained by evaluating the /x-calculus formula over the trace, and taking the 
value at the initial state of the trace. 

Consider a set T of discount factors, along with a discount factor interpreta- 
tion ?7 : T I— >■ [0, 1]. A trace a G S‘^ gives rise to an interpretation = (L{N i— >■ 
[0, 1], <), for the discounted /x-calculus formulas in VMCs,r- As in the 

probabilistic case, all predicates p G 2‘® are interpreted as their characteristic 
function, i.e., for all /c > 0 we have |p]P(fc) = 1 if (Jfc G p, and |p]P(fc) = 0 if 
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<Tk ^ P- The definitions (22) and (23) can be simplified, since in a trace, every 
location has a single successor. For all X : N !-->■ [0, 1] and i G {1,2} we let 

lo:preili,niX) = Afc. [ 77 (a) X{k+ 1)] 

1(1 - a) -h aprej)} ,,(X) = Xk.[{l - p{a)) + p{a) X{k + 1)]. 

Given a closed /t-calculus formula (p G 'DAiCsj', we then define its discounted 
linear semantics : S‘^ i->- [0, 1] by [</>]‘^^‘”®-’’(ct) = |0p’(O). A discounted 

property is the mapping !-->■ [ 0 , 1 ] defined by the linear semantics of 

a closed discounted /t-calculus formula (p G T>MCs,r- 

As an example, consider again a subset T C A of target states, and a player 
7 G {1, 2}. The payoff of the discounted reachability game considered informally 
in Sect. 5.1 can be defined by [px.{T\/ apre^(x))]‘^'™®'’): indeed, 

[px.{T\/ aprej(a:))]‘^^“®-’’(CT) = rj{a)’^, 

where k = minjj G N | ctj G Tj. The fact that (24) represents the maximum 
payoff that player 1 can achieve in a game structure Q can be formalized as 

(l)^[/xx.(T V aprei(x))]‘^^“®-’> = lpx.{T V apre,{x))]'^^^. (27) 

Similarly, the payoff of the discounted safety game considered informally in 
Sect. 5.1 can be defined by [vx.{T A (1 — a) -I- aprej(x))]‘^'“®'’>: indeed, 

[ra.(r A (1 — a) -I- aprej(x))]‘^^“®-”(CT) = 1 — 77 ( 0 )^, 

where k = minjj G N | ctj ^ T|. Also in this case, for all game structures G we 
have: 

(l)^[ra.(T A (1 - a) -h aprei(a;))]‘^^“®-’' = |tzx.(T A (1 - a) -h aprei{x))j$ ,^. 

(28) 

The relations (27) and (28) are just two special cases of the general relation 
between the linear and branching semantics of discounted 77 -calculus, expressed 
by the following theorem. 

Theorem 6. For all game structures Q, all players i G {1,2}, all sets T of 
discount factors, all discount factor evaluations 77 G (T i-A- [0,1]), and all closed 
pL-calculus formulas p G T>XiCs,r in strongly deterministic form that contain 
only the function symbols apre^ and (1 — a) -I- apre^ for a G T, we have that 

This theorem is the main result about the verification of discounted properties, 
as it relates a discounted property [<()]'^'™®'’> to the valuation ^ computed by 
the verification algorithm p over the game structure G- 
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Determinacy. Since discounted properties are defines as the linear semantics of 
discounted /x-calculus formulas, the duality of discounted control problems can 
be stated as follows. 

Theorem 7. For all game structures Q, all sets T of discount factors, all 
discount factor evaluations rj € {T [0, 1]), and all closed fi-calculus formulas 
(j) € T>A4Csg,r in strongly deterministic form that contain only the function 
symbols aprci and (1 — a) + aprci for a gT, we have that 

1 - = (2)f 

5.3 Relation between Discounted and Probabilistic /x-Calculus 

Given r G [0,1], denote by Er{T) : T i-G [0,r] the set of all discount factor 
interpretations bound by r. If r; G Er{T) for r < 1, we say that 77 is contractive. 
A fixpoint quantifier p,x or vx occurs guarded in a formula (/> if a function symbol 
pre occurs on every syntactic path from the quantifier to a quantified occurrence 
of the variable x. For example, in the formula p,x.{T V apre^{xf) the fixpoint 
quantifier occurs guarded; in the formula (1 — a) + aprej^{yix.(T\/ x)) it does not. 
Under a contractive discount factor interpretation, every guarded occurrence 
of a fixpoint quantifier defines a contractive operator on the values of the free 
variables that are in the scope of the quantifier. Hence, by the Banach fixpoint 
theorem, the fixpoint is unique. In such cases, we need not distinguish between 
/i and n quantifiers, and we denote both by n. 

If 77 (a) = 1, then both loprejg ^ and |(I — a) + aprejg reduce to the 
undiscounted function IpreJ^, for i G {1,2}. The following theorem extends 
this observation to the complete 7 r-calculus, showing how the semantics of the 
discounted 7 r-calculus converges to the semantics of the undiscounted /x-calculus 
as the discount factors approach 1. To state the result, we extend the seman- 
tics of discounted /x-calculus to interpret also the functions prci, prc 2 , letting 
for all i G {1,2}, game structures Q, and all discount inter- 
pretations 77 . We also let r][a := a] be the discount factor interpretation defined 
by ri[a := a] (a) = a and r][a := a] (a') = 77(0') for a yf a'. 

Theorem 8. [dAHMOS] For all game structures Q, Let 4>{x) G T>MCsg,r be 
a pi-calculus formula with free variable x, and discount factor a. The following 
assertions hold: 

1. If X and a always and only occur in the context apre^{x), for i G {1, 2}, then 

lim IAx.(/)(a 77 rei(a;))]^ = lp.x.4){prei{x))ll^^^^. 

2. If X and a always and only occur in the context (1 — a) -I- apre^{x), then 

lim lXx.(f{{l - a) -h = l^x.cfiprCiix))}'^^^^^. 




Quantitative Verification and Control via the Mu-Calculus 



123 



The remarkable fact is that the order of quantifiers in probabilistic ^-calculus cor- 
responds to the order in which the limits are taken in discounted /i-calculus. For 
instance, for a game structure Q and T C Sg, let (j) = Xy.Xx.{{-<T A apre^{x)) V 
{T /\{1 — j3) + (ipre^iy))). We have that 

lim = [yx.vy.{{-^T A prefix)) V (T A pre,{y)))\l (29) 

limJ'l^'ls.r,[a:=a,/3:=6] = l^V ■ tJ-x ■{{-‘T A prefix)) V (T A pre,{y)))ll. (^0) 

Formula (29) is the solution of probabilistic co-Biichi games with goal OOT, 
while (30) is the solution of probabilistic Biichi games with goal OOT. 



6 Equivalence Metrics 

To complete the extension of the classical boolean framework for specification, 
verification, and control to the quantitative case, we show how the classical 
notion of bisimulation can be extended to the quantitative setting, and how our 
quantitative /x-calculi characterize quantitative bisimulation, just as the boolean 
/x-calculus, like CTL, characterizes bisimulation. 

6.1 Alternating Bisimulation 

In the boolean setting, and for deterministic game structures, the notion of bisi- 
mulation for games is called alternating simulation [AHKV98]. Fix a determini- 
stic game structure G = (S', At, A, F2, <f), along with a set P C 2“^ of predicates. 
A relation R C S x S is a, player- 1 alternating bisimulation if, for all s,t G S, 
(s, t) G R implies that s G p gg t G p ior aVi p gV, and if (s, t) G R, then 



Voi G A(s).36i G A(f)-V&2 G F2(t).3o2 G F2(s).i?(r(s, Oi, 02), r(s, &i, 62)), 

V&i G ri(f).3ai G ri(s).Vo2 G r2{s)3b2 G T2(t).S(T(s, oi, 02), r(s, 61,62)), 

where R{{ti}, {^2}) iff (^1,^2) G R, for all t\,t 2 G S. The definition of a player-2 
alternating bisimulation is obtained by exchanging in the above definition the 
roles of players 1 and 2. A relation R is an alternating bisimulation if it is both 
a player-1 and a player-2 alternating bisimulation. 

To obtain the coarsest player 1 alternating bisimulation, i.e., the largest re- 
lation that is a player- 1 alternating bisimulation, we can use a symbolic fixpoint 
approach [Mil90], which in view of our extension to the quantitative case, we 
state as follows. A binary distance function is a function d : S x S i-G- {0, 1} 
that maps each pair of states s, f G S' to their distance d{s, t) G {0, 1}, and such 
that for all s,t,u G S, we have d(s, t) = d{t, s) and d{s, t) < d{s, u) -\- d{u, t). For 
distance functions d, d' we let d < d' iff d(s, t) < d'{s, t) for all s,t G S. We define 
the functor A mapping binary distance functions to binary distance functions: 
for all binary distance functions d and all s,t G S, we let A(d)(s, t) = 1 if there 
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is p GP such that s G p t £ p, and we let 

{ max min max min d(r(s, oi, 02), r(s, 5 i, 62)), 

a,ems)b,er,(t)b,em)a,er,(s) , , , ,, 

max mm max mm a(r(s, ai, a2), r(s, Oi, 02)) 

biGri{t) aiG-Ti(s) a2G-T2(’S) &2^-T2(i) 



otherwise, where {^ 2 }) = d{ti,t 2 ) for all ti,t 2 £ S. A player-1 alternating 

bisimulation R is simply a relation whose characteristic function is a fixpoint of 
Fi, i.e., it is a subset RC SxS such that x(R) = Pi(xiR))j where x(i?)(s, t) is 0 
if (s,t) £ R, and is 1 otherwise. In particular, the coarsest player-1 bisimulation 
is given by d\ = where d\ is least fixpoint of the functor Fi, i.e., 

the least distance function that satisfies d\ = Fi{dl). We define the coarsest 
player-2 alternating bisimulation F 2 ™ in an analogous fashion, with respect to a 
functor F 2 obtained by swapping the roles of players 1 and 2 in the definition of 
Fi. Finally, the coarsest alternating bisimulation is given by = d*, 

where d* is the least distance function that satisfies both d* = Fi{d*) and 
d* = F 2 {d*). When we wish to make explicit the dependence of the bisimulation 
relations on the game and on P, we write B'g^, B'^^g and B^^g ^ for BA™, BY'^, 
and i? 2 “. The following theorem, derived from [AHKV98], relates alternating 
bisimulation and boolean /x-calculus. 

Theorem 9. For a deterministic game structure Q, the following assertions 
hold: 

1. For all i £ {1,2}, we have that {s,f) ^ {/f there is a closed p- 

calculus formula 4> G BAiCsg containing only predicates in P and functions 
in {prCj, dpref\ such that s £ \<t)\'g and t ^ \4>\'g- 

2. (s,t) ^ iff there is a closed p-calculus formula f) £ BAiCsg containing 
only predicates in P such that s £ \<t>Yg o.'nd t ^ 



6.2 Game Bisimulation Distance 



To obtain a quantitative version of alternating bisimulation, we adapt the defini- 
tion of Fi to the case of probabilistic game structures and quantitative distance 
functions [dAHMOS]. Fix a game structure G = (S', At, A, F 2 , (5), along with a 
set F C 2'^ of predicates. A distance function is a mapping d : S x S [0, 1] 
such that for all s,t,u £ S we have d(s, f) = d{t, s) and d(s, t) < d{s, u) + d{u, t). 
We define discounted game bisimulation [dAHMOS] with respect to a discount 
factor r £ [0,1]; the undiscounted case corresponds to r = 1. Given r G [0,1], 
we define the functor Gr mapping distance functions to distance functions: for 
every distance function d and all states s,t £ S, we define Gr{d){s,t) = 1 if 
there is p £P such that s £ p t £ p, and 



Gr{d){s,t) = 
r ■ max | 



sup inf sup inf 

Ci6'Di(s) GeTiiit) {2gD2(t) 



D(d)(,5(s,Ci,C2),^(i,6,6)), 



sup inf sup inf 

CiGi>i(i) Ci6'Di(«) C2eV2(s) GeV2(t) 



D(d)(d(s,Ci,C2),^(f,a,6)) 



> 
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otherwise. For a distance function d and distributions Ci and C 2 , we let 
£>((i)(Ci, C2) be the extension of the function d from states to distributions 
[vBWOla] given by the solution to the linear program max^^gg(^i(s) — C 2 (s))fcs 
where the variables {fc^lseQ are subject to kg — kt < d{s,t) for all s,t G Q. The 
least distance function that is a fixpoint of Gr is called r-discounted game bisi- 
milarity, and denoted On MDPs (one-player game structures), for r < 1, 

discounted game bisimulation coincides with the discounted distance metrics 
of [vBWOla]. Again, we write sV when we wish to make explicit the depen- 
dency of from the game G and from the subset of predicates V. 

By the minimax theorem [vN28], we can exchange the two middle sup and 
inf operators in the definition of as a consequence, it is easy to see that 
the definition is symmetrical with respect to players 1 and 2. Thus, there is 
only one version of (un)discounted game bisimulation, in contrast to the two 
distinct player-1 and player-2 alternating bisimulations. Indeed, comparing the 
definition of Fj and Gr, we see that alternating bisimulation is defined with 
respect to deterministic move distributions, and the minimax theorem does not 
hold if the players are forced to use deterministic distributions. The following 
theorem relates game bisimilarity with quantitative and discounted /x-calculus. 

Theorem 10. [dAHMOS] The following assertions hold for all game structures 

g. 

1 . LetVAiCsg,v be the set of closed yi-calculus formulas inVAiCsg that contain 
only predicates in V. For all s,t € Sg we have 

■Si(gXs,t)= sup |l</>lg(s) - 

(f>G'PA4CSg ,v 

2. Let T>A4Csg,r,'P be the set of closed pi-calculus formulas in VAdCsgX that 
contain only predicates in V . For all s,t € Sg and all r G [0, 1], we have 

Br]g,v{s,t)= sup sup 

4’&'DMCsg,v V^Er(T) 

It is possible to extend the connection between discounted ^-calculus and equi- 
valence relations further, including results about the stability of bisimulation 
and discounted /x-calculus with respect to perturbations in the game structure 
[DGJP02,dAHM03]. 

References 

[AHKO 2 ] R. Alur, T.A. Henzinger, and O. Kupferman. Alternating time temporal 
logic. J. ACM, 49:672-713, 2002. 

[AHKV98] R. Alur, T.A. Henzinger, O. Kupferman, and M.Y. Vardi. Alternating re- 
finement relations. In CONCUR 97: Concurrency Theory. 8th Int. Conf., 
volume 1466 of Lect. Notes in Comp. Sci., pages 163-178. Springer- Verlag, 
1998. 




126 



L. de Alfaro 



[BC96] 

[Ber95] 

[BL69] 

[Bry86] 

[Con92] 

[dAHOO] 

[dAHK98] 

[dAHMOla] 

[dAHMOlb] 

[dAHMOS] 

[dAMOl] 

[DEP02] 

[Der70] 

[DGJP99] 

[DGJP02] 

[EJ91] 

[EL86] 

[Eve57] 

[Fel83] 



G. Bhat and R. Cleaveland. Efficient model checking via the equational 
/i-calculus. In Proc. 11th IEEE Symp. Logic in Comp. Set., pages 304-312, 
1996. 

D. P. Bertsekas. Dynamic Programming and Optimal Control. Athena 
Scientific, 1995. Volumes I and II. 

J.R. Biichi and L.H. Landweber. Solving sequential conditions by finite- 
state strategies. Trans. Amer. Math. Soc., 138:295-311, 1969. 

R.E. Bryant. Graph-based algorithms for boolean function manipulation. 
IEEE Transactions on Computers, G-35(8):677-691, 1986. 

A. Condon. The complexity of stochastic games. Information and Com- 
putation, 96:203-224, 1992. 

L. de Alfaro and T.A. Henzinger. Concurrent omega-regular games. In 
Proc. 15th IEEE Symp. Logic in Comp. Sci., pages 141-154, 2000. 

L. de Alfaro, T.A. Henzinger, and O. Kupferman. Concurrent reachability 
games. In Proc. 39th IEEE Symp. Found, of Comp. Sci., pages 564-575. 
IEEE Computer Society Press, 1998. 

L. de Alfaro, T.A. Henzinger, and R. Majumdar. From verification to 
control: Dynamic programs for omega-regular objectives. In Proc. 16th 
IEEE Symp. Logic in Comp. Sci., pages 279-290. IEEE Press, 2001. 

L. de Alfaro, T.A. Henzinger, and R. Majumdar. Symbolic algorithms 
for infinite-state games. In CONCUR 01: Concurrency Theory. 12th Int. 
Conf., volume 2154 of Lect. Notes in Comp. Sci., pages 536-550. Springer- 
Verlag, 2001. 

L. de Alfaro, T.A. Henzinger, and R. Majumdar. Discounting the future 
in systems theory. In Proc. 30th Int. Colloq. Aut. Lang. Prog., Lect. Notes 
in Comp. Sci. Springer- Verlag, 2003. 

L. de Alfaro and R. Majumdar. Quantitative solution of omega-regular 
games. In Proc. 33rd ACM Symp. Theory of Comp., pages 675-683. ACM 
Press, 2001. 

J. Desharnais, A. Edalat, and P. Panangaden. Bisimulation for labelled 
markov processes. Information and Computation, 179(2): 163-193, 2002. 
C. Derman. Finite State Markovian Decision Processes. Academic Press, 
1970. 

J. Desharnais, V. Gupta, R. Jagadeesan, and P. Panangaden. Metrics for 
labelled markov systems. In CONCUR’99: Concurrency Theory. 10th Int. 
Conf., volume 1664 of Leet. Notes in Comp. Sci., pages 258-273. Springer, 
1999. 

J. Desharnais, V. Gupta, R. Jagadeesan, and P. Panangaden. The metric 
analogue of weak bisimulation for probabilistic processes. In Proc. 17th 
IEEE Symp. Logic in Comp. Sci., pages 413-422, 2002. 

E. A. Emerson and C.S. Jutla. Tree automata, mu-calculus and determi- 
nacy (extended abstract). In Proc. 32nd IEEE Symp. Found, of Comp. 
Sci., pages 368-377. IEEE Computer Society Press, 1991. 

E.A. Emerson and C.L. Lei. Efficient model checking in fragments of the 
propositional p-calculus. In Proc. First IEEE Symp. Logic in Comp. Sci., 
pages 267-278, 1986. 

H. Everett. Recursive games. In Contributions to the Theory of Games 
III, volume 39 of Annals of Mathematical Studies, pages 47-78, 1957. 
Y.A. Feldman. A decidable propositional probabilistic dynamic logic. In 
Proc. 15th ACM Symp. Theory of Comp., pages 298-309, 1983. 




[FH82] 

[FV97] 

[HK97] 

[HMOO] 

[Koz83a] 

[Koz83b] 

[KSK66] 

[Mar98] 

[Mil90] 

[MP91] 

[Rei80] 

[Ros90] 

[Sha53] 

[Tho90] 

[Tho95] 

[vBWOla] 

[vBWOlb] 

[vN28] 



Quantitative Verification and Control via the Mu-Calculus 127 

Y. A. Feldman and D. Harel. A probabilistic dynamic logic. In Proc. 14 th 
ACM Symp. Theory of Comp., pages 181-195, 1982. 

J. Filar and K. Vrieze. Competitive Markov Decision Processes. Springer- 
Verlag, 1997. 

M. Huth and M. Kwiatkowska. Quantitative analysis and model checking. 
In Proc. 12th IEEE Symp. Logic in Comp. Sci., pages 111-122, 1997. 
T.A. Henzinger and R. Majumdar. A classification of symbolic transition 
systems. In Proc. of 17th Annual Symp. on Theor. Asp. of Comp. Sci., 
volume 1770 of Lect. Notes in Comp. Sci., pages 13-34. Springer- Verlag, 
2000 . 

D. Kozen. A probabilistic PDL. In Proc. 15th ACM Symp. Theory of 
Comp., pages 291-297, 1983. 

D. Kozen. Results on the propositional /i-calculus. Theoretical Computer 
Science, 27(3):333-354, 1983. 

J.G. Kemeny, J.L. Snell, and A.W. Knapp. Denumerable Markov Chains. 
D. Van Nostrand Company, 1966. 

D.A. Martin. The determinacy of Blackwell games. The Journal of Sym- 
bolic Logic, 63(4):1565-1581, 1998. 

R. Milner. Operational and algebraic semantics of concurrent processes. 
In J. van Leeuwen, editor. Handbook of Theoretical Computer Science, 
volume B, pages 1202-1242. Elsevier Science Publishers (North-Holland), 
Amsterdam, 1990. 

Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent 
Systems: Specification. Springer- Verlag, New York, 1991. 

J. H. Reif. Logic for probabilistic programming. In Proc. 12th ACM Symp. 
Theory of Comp., pages 8-13, 1980. 

K. I. Rosenthal. Quantales and Their Applications, volume 234 of Pitman 
Research Notes in Mathematics Series. Longman Scientific & Technical, 
Harlow, 1990. 

L. S. Shapley. Stochastic games. Proc. Nat. Acad. Sci. USA, 39:1095-1100, 
1953. 

W. Thomas. Automata on infinite objects. In J. van Leeuwen, editor. 
Handbook of Theoretical Computer Science, volume B, chapter 4, pages 
135-191. Elsevier Science Publishers (North-Holland), Amsterdam, 1990. 
W. Thomas. On the synthesis of strategies in infinite games. In Proc. 
of 12th Annual Symp. on Theor. Asp. of Comp. Sci., volume 900 of Lect. 
Notes in Comp. Sci., pages 1-13. Springer- Verlag, 1995. 

F. van Breugel and J. Worrel. An algorithm for quantitative verification 
of probabilistic transition systems. In CONCUR 01: Concurrency Theory. 
12th Int. Conf., volume 2154 of Lect. Notes in Comp. Sci., pages 336-350, 
2001 . 

F. van Breugel and J. Worrel. Towards quantitative verification of proba- 
bilistic systems. In Proc. 28th Int. Collog. Aut. Lang. Prog., volume 2076 
of Lect. Notes in Comp. Sci., pages 421-432. Springer- Verlag, 2001. 

J. von Neumann. Zur Theorie der Gesellschaftsspiele. Math. Annal, 
100:295-320, 1928. 




Playing Games with Boxes and Diamonds* ** 



Rajeev Alur^, Salvatore La Torre^, and P. Madhusudan^ 

^ University of Pennsylvania 
^ Universita degli Studi di Salerno 



Abstract. Deciding infinite two-player games on finite graphs with the 
winning condition specified by a linear temporal logic (Ltl) formula, is 
known to be 2ExPTlME-complete. The previously known hardness proofs 
encode Turing machine computations using the next and/or until oper- 
ators. Furthermore, in the case of model checking, disallowing next and 
until, and retaining only the always and eventually operators, lowers the 
complexity from Pspace to Np. Whether such a reduction in complexity 
is possible for deciding games has been an open problem. In this pa- 
per, we provide a negative answer to this question. We introduce new 
techniques for encoding Turing machine computations using games, and 
show that deciding games for the Ltl fragment with only the always 
and eventually operators is 2ExPTlME-hard. We also prove- that if in 
this fragment we do not allow the eventually operator in the scope of 
the always operator and vice-versa, deciding games is ExPSPACE-hard, 
matching the previously known upper bound. On the positive side, we 
show that if the winning condition is a Boolean combination of formulas 
of the form “eventually p” and “infinitely often p,” for a state-formula p, 
then the game can be decided in Pspace, and also establish a matching 
lower bound. Such conditions include safety and reachability specihca- 
tions on game graphs augmented with fairness conditions for the two 
players. 



1 Introduction 

Linear temporal logic (Ltl) is a specification language for writing correctness 
requirements of reactive systems [13,11], and is used by verification tools such as 
Spin [8]. The most studied decision problem concerning Ltl is model checking'. 
given a finite-state abstraction G of a reactive system and an Ltl formula tp, do 
all infinite computations of G satisfy ip7 The corresponding synthesis question 
is: given a game graph G whose states are partitioned into system states and 
environment states, and an Ltl formula p, consider the infinite game in which 
the protagonist chooses the successor in all system states and the adversary 
chooses the successor in all environment states; then, does the the protagonist 

* Detailed proofs are available at http://www.cis.upenn.edu/ madhusud/ 
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have a strategy to ensure that all the resulting computations satisfy ipl Such a 
game-based interpretation for Ltl is useful in many contexts: for synthesizing 
controllers from specifications [14], for formalizing compositionality requirements 
such as realizability [1] and receptiveness [6], for specification and verification 
of open systems [3], for modular verification [10], and for construction of the 
most-general environments for automating assume-guarantee reasoning [2]. In 
the contexts of open systems and modular verification, this game is played in 
the setting where a module is considered as the protagonist player, and its en- 
vironment, which may consist of other concurrent modules in the system that 
interact with this module, is taken as the adversary. 

An Ltl formula is built from state predicates (77), Boolean connectives, and 
temporal operators such as next, eventually, always, and until. While the model 
checking problem for the full Ltl is known to be PSPACE-complete, the fragment 
La,o,A,v{n) that allows only eventually and always operators (but no next or un- 
til), has a small model property with Np-complete model checking problem [15]. 
Deciding games for the full Ltl is known to be 2ExPTiME-complete [14]. The 
hardness proof, like many lower bound proofs for Ltl, employs the until/next 
operators in a critical way to relate successive configurations. This raises the 
hope that deciding games for La,o,Ay{n) has a lower complexity than the full 
Ltl. In this paper, we provide a negative answer to this question by proving a 
2 Exptime lower bound. 

The proof of 2ExPTiME-hardness is by reduction of the halting problem for 
alternating exponential-space Turing machines to deciding games with winning 
condition specified by formulas that use only the always and eventually opera- 
tors. The reduction introduces some new techniques for counting and encoding 
configurations in game graphs and formulas. We believe that these techniques are 
of independent interest. Using these techniques we show another hardness result: 
deciding games for the fragment ,B(Lo.a,v(77)) is ExPSPACE-hard. This fragment 
contains top-level Boolean combinations of formulas from Lo.a.v(-^)> the logic 
of formulas built from state predicates, conjunctions, disjunctions, and eventu- 
ally operators. B{Lo,A,\/in)) is known to be in Expspace [4], while Lo,a,v(-^) 
is known to be in Pspace [12], so our result closes this complexity gap. 

Finally, we consider the fragment B{Loo{n)) that contains Boolean combi- 
nations of formulas of the form nOp, where p is a state predicate. Complexity 
for formulas of specific form in this class is well-known: generalized Biichi games 
(formulas of the form AiDOpi) are solvable in polynomial time, and Streett 
games (Ai(DOpj — >• DOgi)) are CO-Np-complete (the dual, Rabin games are Np- 
complete) [7]. We show that the Zielonka-tree representation of the winning sets 
of vertices [17] can be exploited to get a PSPACE-procedure to solve the games 
for the fragment B{Luo{n)) . This logic is of relevance in modeling fairness as- 
sumptions about components of a reactive system. A typical fairness requirement 
such as “if a choice is enabled infinitely often then it must be taken infinitely 
often,” corresponds to a Streett condition [11]. Such conditions are common in 
the context of concurrent systems where it is used to capture the fairness in the 
scheduling of processes. In games with fairness constraints, the winning condi- 
tion is modified to “if the adversary satisfies all the fairness constraints then 
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the protagonist satisfies its fairness constraints and meets the specification” [3]. 
Thus, adding fairness changes the winning conditions for specifications from a 
logic C to Boolean combinations of Lao{n) and £ formulas. We show that 
the PSPACE upper bound holds for fair games for specifications in B{Lo,/\{n)) 
containing Boolean combinations of formulas that are built from state predi- 
cates, conjunctions, and eventually operators, and can specify combinations of 
invariant and termination properties. This result has been used to show that the 
model checking of the game-based temporal logic Alternating Temporal Logic is 
in PsPACE under the strong fairness requirements [3]. We conclude by showing 
that deciding games for formulas of the form “Streett implies Streett” (that is, 
Ai{OC>pi — >• nOgi) — >• Aj(nOrj — >■ DOsj)) is PsPACE-hard. 

2 Ltl Fragments and Game Graphs 

2.1 Linear Temporal Logic 

We first recall the syntax and the semantics of linear temporal logic. Let V be 
a set of propositions. Then the set of state predicates U is the set of boolean 
formulas over V. We define temporal logics by assuming that the atomic formu- 
las are state predicates. A linear temporal logic (Ltl) formula is composed of 
state predicates (iT), the Boolean connectives negation (-i), conjunction (A) and 
disjunction (V), the temporal operators next (O), eventually (O), always (□), 
and until ( U). Formulas are built up in the usual way from these operators and 
connectives, according to the grammar 

p := p \ -<p \p A p\p\/ p\Op\ ^ p \ i^p\pU p, 

where p G U. Ltl formulas are interpreted on w-words over 2^ in the standard 
way [13]. 

In the rest of the paper we consider some fragments of Ltl. For a set of Ltl 
formulas F, we denote by Lopi,...,opic (A) the logic built from the formulas in F 
by using only the operators in the list opi, . . . , opk- When the list of operators 
contains only the Boolean connectives we use the notation B{F), i.e., B{F) = 
L^^^{F). In particular, FI = B{V). As an example, the logic Lo,/\{n) is the 
one defined by the grammar p := p\p A p \ O' p, where p G II, and the logic 
B{L<y /^{n)) contains Boolean combinations of the formulas from Lc> /^{n). 

2.2 Ltl Games 

A game graph is a tuple G = (A, V, Vq, Pi, 7, p) where A is a finite set of labels, 
P is a finite set of vertices, Pq and Pi define a partition of P, 7 : P — >■ 2^^ 
is a function giving for each vertex u G V the set of its successors in G, and 
/i : P — >■ A is a labeling function. For i = 0, 1, the vertices in p are those 
from which only player i can move and the allowed moves are given by 7 . A 
play starting at xq is a sequence xqXi ... in P* or P“ such that xj G j(xj-i), 
for every j. A strategy for player z is a total function f : V*Vi ^ V mapping 
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each finite play ending in Vi into V (it gives the moves of player i in any play 
ending in Vi). A play XqXi ... is consistent with / if for all Xj € Vi with j > 0, 
f{xo...Xj) = Xj + i- 

In this paper, we focus on determining the existence of strategies for player 0. 
For this reason, player 0 is called the protagonist, while player 1 is the adversary. 
Unless specified otherwise, by ‘strategy’ we mean a strategy for the protagonist. 
Moreover, we consider game graphs along with winning conditions expressed by 
Ltl formulas (Ltl games). Formally, an Ltl game is a triple (G, ip, u), where G 
is a game graph with vertices labeled with subsets of atomic propositions, tp is 
an Ltl formula and u is a vertex of G. A strategy / in (G, p, u) is winning if all 
infinite plays consistent with / and starting at u satisfy p. The decision problem 
for an Ltl game (G, p, u) is to determine if there exists a winning strategy for 
the protagonist. 



3 Lower Bound Results 

When proving lower bounds for Ltl games, the usual technique is to code the 
acceptance problem for alternating Turing machines [16,12]. The crux in such a 
proof is to detect, using the Ltl specification, that the content of the cell 
in a configuration is in accordance with the {i — 1)*^, and (i + 1)*^ cells 
of the previous configuration. In a reduction from 2Exptime (i.e. alternating 
Expspace), typically, the cell numbers are explicitly encoded using a sub- word 
of bits in the configuration sequence; these numbers can be read by zooming into 
the cell in some configuration using the O operator, using the O operator to 
read the cell numbers and using U operator to access the next configuration. 
Here the U operator can be used instead of O, but the U cannot be replaced 
by O. In an Expspace reduction (i.e. alternating Exptime), the configuration 
numbers are also encoded explicitly, and one can just use the O and O operators 
to access three cells of a configuration and the appropriate position in the next 
configuration. Hence both proofs use the O operator and the 2Exptime reduction 
uses the U operator crucially. 

The primary difficulty in the lower bounds we present is in dealing with 
reductions in the absence of the O and 14 operators. The O operator can basically 
check only for subsequences and can hence “jump” arbitrarily far making it 
difficult to read the cell and configuration numbers. The main idea to solve this, 
which we call the matching trick below, is to introduce a “sandwiched” encoding 
of addresses which forces the reading of cell numbers to be contiguous. This then 
yields an Expspace lower bound for B{Lo,/\y{n)). 

Then we consider Ld,o,a,v(^) where one can nest O and □ operators. 
Though this does not allow us to check the required property on an entire se- 
quence of configurations, it allows us to check it for the last two configurations 
in a sequence. By giving the adversary the ability to stop the sequence of con- 
figurations at any point, we can ensure that the entire sequence satisfies the 
property, which leads to a 2Exptime lower bound for this fragment. 
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3.1 Alternating Turing Machines 

An alternating Turing machine on words over an alphabet A is a Turing machine 
M = {Q,Q^,Q\f,qin,qf,S), where and Q\f are disjoint sets of respectively 
existential and universal states that form a partition of Q, qi„ is the initial 
state, qf is the final state and S : Q x S x {£> 1 , 1 ) 2 } — >■ Q x S x {L,R}. 
For each pair (q, a) G Q x S, there are exactly two transitions that we denote 
respectively as the Di-transition and the £> 2 -transition. Suppose q is the current 
state and the tape head is reading the symbol cr on cell i, if the d-transition 
S{q,a,d) = (q',a',L) is taken, M writes a' on cell i, enters state q' and moves 
the read head to the left (£) to cell (i — 1). A configuration of M is a word 
(Ti . . . ai-i{q, di) ■ . .a„ where cti . . . cr„ is the content of the tape and where M 
is at state q with the tape head at cell i. The initial configuration contains the 
word w and the initial state. An outcome of M is a sequence of configurations, 
starting from the initial configuration, constructed as a play in the game where 
the 3-player picks the next transition (i.e. £>i or £> 2 ) when the play is in a state 
of Qa, and the V-player picks the next transition when the play is in a state of 
Qv- A computation of M is a strategy of the 3-player, and an input word w is 
accepted iff there exists a computation such that all plays according to it reach a 
configuration with state qq. We recall that an alternating Turing machine is g(n) 
time-bounded if it halts on all input words of length n within g(ji) steps, and g(ji) 
space-bounded if it halts on all input words of length n using at most g{n) tape 
cells (see [9]). We also recall that the acceptance problem is ExpSPACE-complete 
for exponentially time-bounded alternating Turing machines, and is 2 Exptime- 
complete for exponentially space-bounded alternating Turing machines [5]. 

3.2 The Matching Trick 

Fix n (which we assume is a power of 2) and let m = log 2 n. Let us fix a set 
of propositions {pj , . . . . . .p:^} and another set {qj , . . . ,qf^,q^, . . . q^}. 

Let us also fix a finite alphabet E disjoint from these. The gadget we describe 
allows us to access the element of a sequence of n letters over E, using a 
formula which is polynomial in log n and which uses only the O modality. Let 
[i,j] denote the set of numbers from i to j, both inclusive. Let [i] denote [l,i]. 

Let u = Um ... Ml denote a sequence of length m such that Ub is either {pJ } 
or {p^}, for b G [to]. Similarly, let v = v\ . . .Vm (note the reversal in indices) 
denote a sequence where each Vb is either {(?{}} or {q^}. We call these sequences 
■u-addresses and w-addresses, respectively. A w-address tt = «„... wi is to be 
seen as the binary representation of a number from 0 to n— 1: the proposition 
pJ belongs to Ub if the 6*^ bit of the number is 1, otherwise belongs to Ub 
(um encodes the most-significant bit). Similarly, a v-address v also represents a 
number, but note that the representation is reversed with the most-significant 
bit Vm at the end of the sequence. For t G (0, . . . , n— 1}, let u[i] and v[i] denote 
the u-address and M-address representing the number i. For example, if to = 4, 
w[5] = {pi} • {pjl • [pi] • [pJ] and u[5] = {qj}- • {gjj • {gf}. 

We encode a letter a G E & position i G [0,n— 1] as the string {a)i = 
u[i] ■ a ■ v[n—l—i], i.e., {a)i has ’a’ sandwiched between a w-address representing 
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i and a w-address representing n—l—i. Note that in {a)i, Vb = {qj } iff u;, = {p^}, 
for every b G [m]. Now consider a sequence of such encodings in ascending order 
(oo)o • (oi)i • ■ • ■ • We call such a sequence a proper sequence. Note 

that while the u-addresses run from 0 to n— 1, the u-addresses run from n— 1 
to 0. Let tu be a proper sequence, a G S and i G [0,n— 1]. We say that a 
matches i in w {a)i is a (not necessarily contiguous) subsequence of w. The 
main property of this encoding is that it allows us to check whether a letter a 
is encoded at a position i by simply checking whether {a)i is a subsequence of 
the proper sequence w, i.e. by checking if a matches i in w. For example, when 
TO = 4, consider w = u[0]ao^^[15] . . . M[15]ai5f [0]. Let us consider for which letters 
a G S, the string M[5]aw[10] is a subsequence of w. {pj} is in t6[5] and the first 
place where it occurs in w is in the address u[4\. After this, the first place where 
{pj } occurs in w is in m[ 5]. Hence the shortest prefix w' of w such that m[ 5] is a 
subsequence of w is u[0]oo?^[15] . . . ^[5]. Similarly the shortest suffix w" of w such 
that v[10] is a subsequence of w" is u[10] . . . u[15]ai5z;[0]. Hence if ■u[5]at'[10] is a 
subsequence of w, then a = a^. The following lemma captures this: 

Lemma 1. Let w = (oo)o • (oi)i • ■ • ■ • be a proper sequence, a G S 

and i G [0,n— 1]. Then, a matches i in w iff a = ai. 

Finally, we show how to check whether a matches z in w using a formula 
in B{L<y^/\y{n)). If Pi,. . . ,(3k are state predicates, let Seq{Pi, . . . ,Pk) stand for 
the formula 0(/3i A 0(/?2 A . . . '^{Pk) ••■))• Intuitively, this checks if there is a 
subsequence along which Pi through Pk hold, in that order. Let a G S and 
i G [0, n— 1]. Let Xm, ■ ■ ■ ,xi be such that Xb = true iff the b*^ bit in the binary 
representation of i is 1. Let Same{pb, Xb) stand for the formula {pJ A Xb) V (p^ A 
-'Xb), which asserts that the value of pb is the same as that of Xb, where b G [to]. 
Similarly, let Diff{qb,Xb) be the formula {qj A ~^Xb) V {q^ A Xb), which asserts 
that the value of qb is the negation of Xb- With Match{a,i) we denote the 
formula Seq{Same{pm, Xm), ■■■, Same{pi,xi),a, Diff{qi,xi), ..., Diff{qm,Xm))- 
It is then easy to see that for any proper sequence w, w satisfies Match{a,i) iff 
{a)i is a subsequence of w, i.e iff a matches i in w. 



3.3 Lower Bound for B(Lo,a,v(TT)) 

We show in this section that deciding B{Lo,/\,\/{n)) games is ExPSPACE-hard. 
The reduction is from the membership problem for alternating exponential-time 
Turing machines. We show that for such a Turing machine M , given an input 
word w, we can construct an instance of a game and a B{L(^ ,i y{n)) specification 
in polynomial time such that M accepts w if and only if the protagonist has a 
winning strategy in the game. 

Let us fix an alternating exponential-time Turing machine M = 
(S,Q,Q^,Q\f,qin,qf,S) and an input word w G S*. Let us assume that M 
takes at most to units of time on w (to is exponential in |zc|). The game we con- 
struct will be such that the protagonist generates sequences of configurations 
beginning with the initial configuration (with w on its tape). During the game. 
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after an existential configuration the protagonist gets to choose the transition 
(i.e. Di or D 2 ) while at a universal configuration the adversary gets to pick the 
transition. The specification will demand that successive configurations do in- 
deed correspond to moves of M . Hence strategies of the protagonist correspond 
to runs on w. 

Let 7T be any play according to a computation. Then tt is a sequence of 
configurations of length m and each configuration can be represented using a 
sequence of at most m symbols (since M cannot use space more than m). We 
record tt by encoding each cell of each configuration by explicitly encoding the 
number of the configuration and the number of the cell within the configuration. 
Configurations are represented as strings over the alphabet S' = SU{Q x S), 
namely from the set T'* • (Q x A') • 17*. 

In order to describe the configuration number and the cell number, each of 
which ranges from 0 to m— 1, we need k bits where = 2^. Let us fix a set of 
p-bits {pf \ l € [1, fc], z G {T, T} } and a set of g-bits {qf \ I € [l,k], z € {T, T} }. 
We employ the matching trick using these p-bits, g-bits and S' (see Sect. 3.2 
and recall the definitions). 

For any i G [0,m^— 1], the k/2 less significant bits of i will represent the 
cell number and the k/2 more significant bits will represent the configuration 
number. Let u'[conf, cell], where conf,cell G [0,m— 1] denote the u-address 
u[2*/^.con/ -I- cell]. Hence u'[conf , cell] encodes that the current configuration 
number is conf and the current cell number is cell. Similarly, define v'[conf , cell] 
as the u-address w[2*/^.con/ -I- cell]. A proper sequence hence is of the form: 
m'[0, 0]a(^o^o)v' [m—l , m—1] . . . m'[0, m — l]a{Q^rn-i)v'[m—l, 0] u'[l, 0]a(i^o)v'[m—2, m—1] 

u'[m-l, m-l]a(™_i,™_i)w'[0, 0]. 

The game graph we construct is composed of three parts: a main part and two 
sub-graphs Gi and G 2 . In the main part, the protagonists aim is to generate 
sequences of letters from S' sandwiched between a u-address and a u-address 
that form a proper sequence. The adversary’s aim is to check that the current 
sequence is proper and conforms to the behavior of M. If the adversary claims 
that one of these is not true, the game moves to the subgraphs Gi and G 2 where 
the adversary will have to provide witnesses to prove these claims. 

The set of propositions we use includes the p-bits, g-bits and those in S', 
as well as a set of r-bits, s-bits, t-bits and e-bits {r/ , s/, , t/, , e/, ] b G [l,k],z G 
{T,T}}, and other new propositions {Z?i,Z? 2 , ok, obji, The game graph 

typically allows plays that look like: 

, obji ^ obj^ obj^ 



ugoovo ok UyUyVy ok d u'qo'qv'q u/afVf ok ok ok . . . 



oh/2 



The central line above shows how a play normally proceeds. The protagonist 
generates sequences of triples consisting of a u-address, a letter in S' and a 
w-address. Note that each triple has 2fc -|- 1 letters. After every such triple, the 
adversary gets a chance where it can continue the normal course by choosing 
ok or can generate an objection by choosing obji. Objection obji leads the play 
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to the subgraph Gi. Whenever the protagonist generates an address where the 
last k/2 bits of the tt-address is 1 (denoted UyUyVy above), this denotes the end 
of a configuration, and the play reaches a protagonist state if the configuration 
generated was existential and an adversary state if it was universal. Accordingly, 
the protagonist or the adversary choose the next letter d G {Gi,L> 2 } which 
denotes the transition they wish to take from the current configuration. 

At the end of the whole sequence, when a rt-address with all its k bits set 
to 1 is generated (denoted UfUfVf above), the adversary, apart from being able 
to raise the first kind of objection, can also raise a second kind of objection 
by choosing the action 0 &J 2 that leads the play to the sub-graph G 2 . If the 
adversary instead chooses not to raise an objection, the game enters a state 
where the action ok occurs infinitely often and no other actions are permitted. 

Note that the game graph does not ensure that the sequence generated is a 
proper sequence; in fact, it even allows triples of the form u[i] ■ a ■ v[j] where 
j ^ 2^— 1— b The objections obji and 0 &J 2 ’'^hl take care of this and make sure 
that a proper sequence needs to be generated for the protagonist to win. 

On the objection obj^, the play moves to Gi where the adversary claims 
that in the sequence generated thus far, there was a rt-address for i which was 
not followed by a u-address for z -|- 1, or there was a zt-address for i which was 
not followed by a u-address for 2*— 1— z. The adversary chooses as a witness a 
sequence of k r-bits Xk ■ ■ ■ xi, where Xb = {rj } or a;{, = {r^}. This denotes the 
binary representation of a number f, with Xb = {r^ } iff the b*^ bit in the binary 
representation of r is 1 (with Xk encoding the most significant bit). Next, the 
adversary chooses a sequence of k s-bits, encoding a number s. The adversary 
should choose these sequences such that s = r -|- 1. 

The fact that s = f -I- 1 can be checked using the formula succ{f, s): 

k ( j — \ k 

\J i /\i^rh aOsh) A{Orf aOsJ) A f\ {{Orb A OsJ) V {Orn A Osh)) 

j^l h^j + 1 

Let same{pi, r^) stand for the formula {{pj AC’rJ)\/ (p^ A O r^)). Similarly 
define same{pi,Si). Also, let diff{qi,ri) stand for the formula {{qj A Or^) V 
idi' ^ ^^7 )) 5 which checks if the z*^ q-hit is the complement of the z*^ r-bit. 
The specification formula then has the following conjunct ipi'. 

tpi = Oobji -G ([(szzcc(f, s) A pi) -G P 2 ] A {p'l -G ip' 2 )) where 

Pi = Seq{same{pk,rk), ■ . . , same{pi,ri),{pj Vp^)) 

P 2 = Seq{same{pk,rk ), . . . , same{pi,ri), same{pk, Sk), ■■■ , same{pi, si)) 

p'l = Seq{same{pk,rk ), . • . , some(pi,ri)) 

P 2 = Seq{same{pk,rk ), . . . , same{pi,ri), diff{qi,ri), diff{qk,rk)) 

Pi says that there is a subsequence of p-bits matching f and after this match- 
ing there is a future point where some p-bit (and hence a zz-address) is defined, 
i.e. zz[r].p7 or zz[r].p7 is a subsequence of the play. p 2 demands that there is a 
subsequence of p-bits that match f followed by a sequence of p-bits matching s, 
i.e. u[f] ■ zt[s] is a subsequence. 
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The formula ip\ checks whether there is a subsequence of p-bits matching f 
and 1^2 checks if there is a subsequence of p-bits matching r followed by a subse- 
quence of g-bits matching 2^— 1— r, i.e. whether u[f] ■ v[ 2 ^ — 1 —f] is a subsequence 
of the play. 

Consider a strategy for the protagonist such that all plays according to the 
strategy satisfy ipi. If the sequence wiiolaovbo] ok u[ii]aiv[ji] ok ... is a play 
according to this strategy, we can prove that this must be a proper sequence. 
One can also show that if the protagonist plays only proper sequences, then she 
cannot lose because of the conjunct 

In summary, we have so far managed to construct a game graph that lets 
the protagonist generate cell contents at various addresses ranging from 0 to 

— 1 . The specification ipi forces the protagonist to generate this in increasing 
order. The game graph forces each contiguous block of declared cells to be a 
configuration and when a configuration is finished, the game graph ensures that 
the correct player gets to choose the direction of how the computation will 
proceed. 

Let us now turn to the second objection 0&J2 that ensures that the configura- 
tion sequences generated do respect the transitions of the Turing machine. After 
raising objection obj2, the play reaches the subgraph G2, where the adversary 
picks four numbers r, s, i and e (using the r-, s-, t- and e-bits). The adversary 
should generate these such that s = f-|-l, t = s-|-l and e = s -I- 2 ^/^. Also, 
f, s and i will point to three consecutive cells of a particular configuration and 
hence e will point to a cell in the successor configuration where the cell number 
is the same as that pointed to by s. The adversary claims that the cell content 
defined at e is not correct (note that the cell content at e solely depends on the 
cell contents at r, s and t). 

First, the correctness of the values of f, s, i and e can be ensured using 
a formula ips, similar to the way we check whether a number is the successor 
of another. Also, let be the set of all elements of the form (01,02,03,02)5 
where 01,02,03,03 G S' and a'2 is the expected value of the cell number cell, if 
oi, 02 and 03 are the cell contents of the cells {cell— 1 ), cell and {cell + 1) of the 
previous configuration and the machine took the D\ transition. Similarly, define 
Ad^. Let match{a,r,ip), where v? is a temporal formula, denote the formula 
which checks whether a matches f in ru (where f is the number encoded by the 
r-bits that occur somewhere in the future of where the string is matched) and 
after matching, the suffix of w from that point satisfies ip. More precisely, let 
same{pb,rb) = ( (pf) A Orf^)V(p^ A Or^)), as defined before, and let diff{qb,rb) = 
{{qj A Or^) V {q^ A <^rj^)), for every b G [l,fc]. Then, match{a,r, (p) = 
Seq{same{pk,rk), ■■■, same{pi,ri),a, diff{qi,ri), diff {qk,rk),‘p). Note that 
if ip is in B{L<y /,^ y{n)), then so is match{a,r,(p). Define similarly formulas for 
s, t and e. 

Now, we have in the specification the conjunct 1/^2 = {^obf2 A ip^) — >■ 
where <p3 is as explained earlier and, denoting by ^(oi, 02, 03, 03, d) the formula 
match{ai,r, match{a2, s, match(a3, t, 0 (d A match{a'2, e, true))))), 

'F 4 “ Vde{Di,r> 2 },<oi,a 2 ,<i 3 ,aD£ 4 id ^2? 0,3, 03, d) . 
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V34 checks whether there is tuple (01,02,03,02) in or Ad^ such that oi 
matches f followed by 02 matching s followed by 03 matching t followed by the 
corresponding direction Di or D2 followed by O2 matching e. It is easy to see 
that a proper sequence that encodes a list of valid configurations interspersed 
with direction labels satisfies tp2 (for all possible values of f, s, t and e) iff it 
corresponds to a correct evolution of M according to the direction labels. 

The complete specification is then A V'2 A ip3, where V's = ^ obji V O 0&J2 V 
Vae£ ^(9/’ ""^hich demands that if no objection is raised, then the play must 
meet the final state. 

We can show thus that there is a winning strategy for the protagonist iff M 
accepts w. Since the main part of G is 0(|ru| +k + \M\), size of both Gi and G2 
is 0 {k), and size of i/'i A ^’2 A ■03 is 0 {k {k + |M|)), we have: 

Theorem 1. Deciding B{L<y^/\y{U)) games is ExPSPACE-hard. 

3.4 Lower Bound for Lq,o,a,v (n) 

In this section, we show that deciding games for specifications given by formulas 
in La,o,/\y{n) is 2ExPTiME-hard. The reduction is from the membership prob- 
lem for alternating exponential-space Turing machines. We show that for such 
a Turing machine M, given an input word w, we can construct in polynomial 
time a game graph G' and an La,o,/\y{n) formula (p such that M accepts w if 
and only if the protagonist has a winning strategy in the game. 

Let G be the game graph constructed in Sect. 3.3. We give a reduction based 
on the construction of a game graph G' which is slightly different from G. First, 
the configuration numbers are not encoded explicitly (since they can be doubly 
exponential) but the cell numbers are encoded. However, for a configuration 
sequence CgCi . . ., we want to count the configurations using a counter modulo 3. 
For this, we introduce new propositions V' = {0, 1, 2}, and in the entire sequence 
encoding Cj, the proposition i mod 3 is true. This counter’s behaviour is ensured 
by the design of the game graph. 

The role of obj^ is similar as in G; using this the adversary ensures that the 
sequence generated is proper and hence that the system does generate a sequence 
of configurations with proper cell numbers. However, if it wants to claim that 
the sequence of configurations is not according to the Turing machine, note 
that it cannot provide an exact witness as configurations are not numbered. 
We hence allow the adversary to raise the objection 0&J2 softer the end of every 
configuration. When the adversary chooses 0&J2 it gives a cell number k and 
claims that the contents of cell k in the last configuration thus far is incorrect 
with respect to the corresponding cells in the previous configuration. 

The crucial point is that one can check whether the cell in the last con- 
figuration is correct with respect to the penultimate configuration by using an 
Ln,o,A,v{n) formula that uses the modulo-3 counter. Intuitively, if we want to 
check a formula on the suffix starting from the penultimate configuration, we 
can do so by the formula 
Vie{o,i.2} 



(0(jA:^iA0(j + 1)A-0(j + 2))) 
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Note that the formula is in La,o,/\,\/{n), but not in because of 

the subformula ~'0{j + 2) (which plays a vital role). Using such a formula, we 
ensure that the protagonist must generate correct configuration sequences to win 
the game. The rest of the proof is in details and we omit them; we then have: 

Theorem 2. Deciding ia,o,A,v(^) games is 2ExPTiME-hard. 



4 Fairness Games 

In modeling reactive systems, fairness assumptions are added to rule out infinite 
computations in which some choice is repeatedly ignored [11]. A typical fairness 
constraint is of the form “if an action is enabled infinitely often, then it is taken 
infinitely often,” and is captured by a formula of the form DOp — >• nC>p'. In 
the game setting, fairness constraints can refer to both the players. Let ipo be 
the formula expressing the fairness constraint for the protagonist and 'ipi be the 
formula for the fairness constraints of the adversary. Then, the winning condi- 
tion If of a, game is changed either to ipi (V’o A (p) (“if the adversary is fair 
then the protagonist plays fair and satisfies the specification ” ) or ipo A {tpi -A p) 
(“the protagonist plays fair and if the adversary plays fair then the specifica- 
tion is satisfied”) [3]. Thus, adding fairness changes the winning conditions for 
specifications from a logic C to Boolean combinations of Lao{n) and C formulas. 

We consider adding fairness to B{Lo,/\{n)) games. The fragment B{Lo,/\{n)) 
contains Boolean combinations of formulas built from state predicates using 
eventualities and conjunctions, and includes combinations of typical invariants 
and termination properties. A sample formula of this fragment is Dp V 0(g A 
Or). In this section, we prove that games for this logic augmented with fairness 
constraints are still decidable in polynomial space. More precisely, we prove 
that deciding B{Luo{n) U Lo,/\{n)) games is PsPACE-complete. We begin by 
considering B{Luo{n)) games. 



4.1 Boolean Combinations of Biichi Conditions 

In this section we give a polynomial space algorithm to solve B{Luo{n)) games. 
We adapt the technique proposed by Zielonka [17] for Muller games. Muller 
games are game graphs with winning conditions given as a collection of sets of 
vertices T with the meaning that a play tt is winning if the set of the infinitely 
repeating vertices in tt belongs to T . 

Let U be a finite set, .7^ be a subset of 2^, and be 2^^ \ .7^. A set C/ is 
maximal for T if for all U' G fF, U (/i U'. A Zielonka tree for the pair is 

a finite tree T with vertices labeled by pairs of the form (0, U) with U G T or 
(1, U) with U G T. It is inductively defined as follows. The root of T is labeled 
with (0, V), if U G T, and by (1, V) otherwise. Suppose a: is a node labeled with 
(0, C/). If C/i, . . . , Um, TO > 0, are the maximal subsets of U belonging to then 
X has TO children respectively labeled with (1, C/i), . . . , (1, Um)- If all subsets of 
U belong to then x is a leaf. The case (1, U) is analogous. Notice that while 
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Z-solve{Gx,x) 

Let Vx be the set of Gx vertices and let (i, Ux) be the label of x 
W 

if X is not a leaf then 
repeat 

W ^WVJW'-, VP' ^ 0 
VP •(— Attractor-setiW, 1 — *) 
for each child y oi x do 

Let (1 — i, Uy) be the label of y 
Gy <— Sub-game{Gx,W,Uy) 

VP' ^ VP'U Z-solve{Gy,y) 
until (VP = VP U VP') 
return (Vx \ VP) 



Fig. 1. Algorithm for B{Ldo{TI)) games. 



the number of children can be exponential in |VP|, the depth of the tree is linear 
in \V\. 

Let V be the set of vertices of a game graph G and denote a Muller 
winning condition. The algorithm in Fig. 1 implements the solution given by 
Zielonka [17]. Let be a sub-game of G (i.e. G^ is a game graph which is 
a subgraph of G) and let a; be a node of the Zielonka tree for with x 

labeled with (z, Ux)- On the call Z-solve{Gx,x), the procedure computes the set 
of positions in Gx from which player i has a winning strategy with respect to 
the Muller condition restricted to Gx- The procedure is hence initially invoked 
with (G,x) where x is the root of the Zielonka tree. 

The procedure works by growing the set VP of the vertices from which player 
1—i has a winning strategy on Gx- The main parts of Z-solve{Gx, x) are the 
enumeration of the children of x, and the calls to procedures Attractor-set and 
Sub-game- A call Attractor- set {Gx, VP, 1— z) constructs the largest set of vertices 
in Gx from which player 1—i has a strategy to reach VP. For a set U C Vx, let 
Z be the set of vertices constructed in the call Attractor-set{V \ U,i)- Then, 
Sub-game{Gx,W,U) constructs a game graph contained in Gx, that is induced 
by the vertices Vx \ (VP U Z)- Each call to either Attractor-set or Sub-game takes 
at most polynomial time. Note that the recursive depth of calls is bounded by 
the depth of the tree. 

It is worth noting that for an implicitly defined Muller condition, such as 
the one defined by a formula in B{Luo{n)), one can use the same procedure 
above but without explicitly constructing the Zielonka tree. The algorithm just 
needs to compute the children of a node of the tree, and, as we show below, this 
can be done in polynomial space as long as the membership test U G !F can be 
implemented in polynomial space. Note that the recursive call depth is bounded 
by V and hence the algorithm will run in polynomial space. 

To explain the computation of children of a node of the Zielonka tree more 
formally, consider a B{Lao{n)) formula (p- For a set C/ C V, let be the 
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mapping that assigns a sub- formula □ O p of to true if p holds in some vertex 
in U, and assigns it to false otherwise. We say that U meets p if under the 
assignment vjj, p evaluates to true. Intuitively, if U is the set of the vertices 
that repeat infinitely often on a play tt of G, then tt satisfies p if and only if 
U meets p. Let be the set oi U GV such that U meets p, and be its 
complement with respect to 2^^. The Zielonka tree for p is the Zielonka tree T 
for We observe that each child of a node x of T can be generated in 

polynomial space simply from p and the label (f, U) of x. For example, if i = 0, 
then for each U' Q U we can check if (1, U') is a child of x by checking whether 
it falsifies (p and is maximal within the subsets of U that do not meet (p (which 
can be done in polynomial space) . Thus we can enumerate the children of a node 
in the Zielonka tree using only polynomial space and we have the following: 

Theorem 3. Deciding B{Lu<>{n)) games is in Pspace. 



4.2 Solving Fairness Games 

The result from Sect. 4.1 can be extended to prove that when the winning con- 
dition is a formula from B{Luo{n) U Lo,/\{n)), that is a Boolean combination 
of formulas from Loo{n) and then games can still be decided in poly- 

nomial space. 

We first describe a polynomial space algorithm to solve games for the simpler 
fragment of the Boolean combinations of Luo{n) formulas and formulas of the 
form 'O’ p using the polynomial-space algorithm for B{Lao{n)) above. 

Let us explain the intuition behind the solution with an example. Consider 
the formula p = OOpi V (nOp 2 A Opa). The protagonist can win a play by 
visiting a state satisfying pi infinitely. However, if it meets a state satisfying pa 
then it wins using the formula p' = □ Op^ V □ Op 2 . Now, assume that we know 
the exact set Z of positions from which the protagonist can win the game G with 
p' as the winning condition. We construct a game graph G' from G by adding 
two vertices win and lose, that have self loops and let a new proposition p™*" be 
true only at win. Now, for a vertex u in G where pa holds, we remove all the edges 
from u and instead add an edge to either win or lose — we add an edge to win 
if u is in Z, and an edge to lose otherwise. Then clearly the protagonist wins the 
overall game if and only if it wins the game (G', □ O pi V □ O p““) . In general, we 
need to define and solve many such games. Each such game corresponds to some 
subset X of the subformulas of the kind Opi mentioned in p. In such a game, 
when we meet a state that meets a new predicate p, where Op is a subformula 
of p but is not in X, we jump to win or lose depending on whether the game 
corresponding to X U {Op} is winning or losing. 

Consider a B{Loo{n)LlLo{n)) game (G, p) and let Opi, . . . , Op^ be all the 
sub- formulas of p of the form Op that are not in the scope of the □ operator. 
For each assignment v of truth values to Op^^, . . . , Op^j, define pi, as the formula 
obtained from p by assigning <> pi, ...,<> p^. according to v. Clearly, p^, is a 
B{Luo{n)) formula. For an assignment v and a vertex u, we denote by -I- u 
the assignment that maps O pi to true iff either v assigns O pi to true or pi holds 
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true at u. We say that a vertex u meets an assignment v if whenever pi holds 
true at u, then v also assigns Op^ to true. 

We denote by G^, the game graph obtained from G removing all the edges 
(u, v) such that u does not meet v, and adding two new vertices win and lose 
along with new edges as follows. We use a new atomic proposition that is 
true only at win. We add a self loop on both win and lose, and there are no 
other edges leaving from these vertices (i.e., they are both sinks). Denoting by 
Xi, the set of vertices that meet v, we add an edge from each u ^ to win if 
there is a winning strategy of the protagonist in {G„+u, ‘Pv+u V □ m), and 

to lose otherwise. 

In order to construct Gu, we may need to make recursive calls to construct 
and solve {G^+m Op™'^'^,u), for some u. However, note that the number 

of elements set to true in + m is more than those set in v to be true. Also, if v 
assigns all elements to true, there will be no recursive call to construct games. 
Hence the depth of recursion is bounded by the number of subformulas of the 
kind 'O’piYup. Note however that there can be an exponential number of calls re- 
quired when constructing G^. Since any of the games (G,y, p'), once constructed, 
can be solved in polynomial space, it follows that Gj_ can be constructed in poly- 
nomial space, where _L is the empty assignment where every element is set to 
false. Therefore, we have the following lemma. 

Lemma 2. Given a B{Luo{n) U L(^{II)) game {G,p,u), there exists a win- 
ning strategy of the protagonist in (G, p, u) if and only if there exists a winning 
strategy of the protagonist in (Gj_, p± V □ m). 

To decide B{Luo{n) U Lo,/\{n)) games we need to modify the above proce- 
dure. We know from [4] that for each formula if in B{Lo,/\{n)) there exists a 
deterministic Biichi automaton A accepting all the models of such that: (1) 
size of A is exponential in \ip\, (2) the automaton can be constructed “on-the- 
fly” — for any state of the automaton, the transitions from it can be found 
in polynomial time, (3) the length of simple paths in A is linear in |'!/)|, and 
(4) the only cycles in the transition graph of A are the self-loops. For a given 
B{Lo<>{n)ULo,A{n)) formula p, let tpi , . . . , V'fe be all the sub-formulas of p from 
B{Lo,A{n)) that are not in the scope of the □ operator. Let Ai be a deterministic 
automaton accepting models of ipi and satisfying the above properties. Let Q be 
the product of the sets of states of Ai, . . . , Ak. For a tuple q= {qi, . . . ,qk) G Q, 
we associate a truth assignment v[q\ such that v[q\{'ifi) is true if and only if qt 
is an accepting state. Moreover, for z = let g- be the state entered by 

Ai starting from qi reading the label of a vertex u of G. We denote the tuple 
{q[,. . . , q'j.) by q{u). For a tuple of states q = {qi,. . . ,qk) G Q, the graph Gq is 
constructed similar to G,^. The main differences are that we solve games of the 
form (Gg(„), V □ z;), we use the set Xq = {v\q qi q(v)} instead of 

Xi, and the recursion depth is bounded by 0{k ■ Iv?]). Clearly, each such graph 
can be constructed in polynomial space and thus we have the following result. 

Theorem 4. Deciding B{Lu<>{n) U Lo,A{n)) games is in Pspace. 
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We can also show that deciding B{Loo{n)) games is PsPACE-hard and hence, 
from the results above, deciding B{Lao{n) U Lo,a(^)) games and B{Lao{n)) 
games is PsPACE-complete. We in fact show a stronger result that a fragment of 
B{Lao{n)) is already PsPACE-hard. 

Let Cr denote the set of formulas of the form V^=i ‘Pij where each (pi is of the 
form (□ Opj A O Dp') (where each pi and p' are state predicates). Cr is then a 
fragment of B{Lao{n)) and represents Rabin conditions. Let denote the set 
of formulas of the form /\^^i Pi, where each ipi is of the form (□ Opi — >• □ Op'). 
£s is also a fragment of B{Luo{n)) and represents Streett conditions, which are 
the dual of Rabin conditions. Let Lrs represent a disjunction of a Rabin and a 
Streett condition, i.e. Lrs contains formulas of the kind PrVps where pr € Lr 
and PS G Ls- We can then show the that deciding games for formulas in Lrs 
is PsPACE-hard. Note that it is known that deciding Lr games is Np-complete 
and, hence, deciding Ls games is CO-Np-complete. 

Theorem 5. Deciding Lrs games is PSPACE-hard. 

5 Conclusions 

We have shown that games for the fragment Lo,o,Ay{n) are 2ExPTiME-hard, 
games for the fragment B{Lo^Ay{n)) are ExPSPACE-hard, games for B{Luo{n)) 
are PsPACE-hard, and games for B{Luo{n)\JL<y^,^{n)) are in PSPACE. Our lower 
bound proofs introduce new techniques for counting and encoding using game 
graphs and Ltl formulas without using next or until operators. Our upper bound 
techniques are useful for combinations of safety/reachability games on game 
graphs with strong fairness requirements on the choices of the two players. The 
results in this paper complete the picture for the complexity bounds for various 
fragments of Ltl and is summarized in Fig. 2. Recall that m-odel-checking of 
Ln,o,Ay{n) formulas is Np-complete, and becomes PsPACE-complete (as for 
the full Ltl) by allowing the until and/or the next operators [15]. As shown 
in Fig. 2, this does not hold for games. Note that allowing nested always and 
eventually operators the complexity of games increases to the complexity of the 
whole Ltl (i.e., 2ExPTiME-complete), while the use of the next and eventually 
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Fig. 2. Complexity of Ltl games 
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operators (with the negation only at the top level) that makes model checking 

PSPACE-hard, increases the complexity of games only to Expspace. 
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Abstract. We consider concurrent two-person games played in real 
time, in which the players decide both which action to play, and when 
to play it. Such timed games differ from untimed games in two essential 
ways. First, players can take each other by surprise, because actions are 
played with delays that cannot be anticipated by the opponent. Second, 
a player should not be able to win the game by preventing time from 
diverging. We present a model of timed games that preserves the ele- 
ment of surprise and accounts for time divergence in a way that treats 
both players symmetrically and applies to all w-regular winning conditi- 
ons. We prove that the ability to take each other by surprise adds extra 
power to the players. For the case that the games are specified in the 
style of timed automata, we provide symbolic algorithms for their so- 
lution with respect to all w-regular winning conditions. We also show 
that for these timed games, memory strategies are more powerful than 
memoryless strategies already in the case of reachability objectives. 



1 Introduction 

Games have become a central modeling paradigm in computer science. In synthe- 
sis and control, it is natural to view a system and its environment as players of a 
game that pursue different objectives [Chu63,RW89,PR89]. Similarly, in modu- 
lar specification and verification it is often appropriate to model the components 
of a system as individual players that may or may not cooperate, depending on 
the application [AHK02,AdAHM99]. Such games are played on a state space 
and proceed in an infinite sequence of rounds. In each round, the players choose 
actions to play, and the chosen actions determine the successor state. For the 
synthesis and modular analysis of real-time systems, we need to use games where 
time elapses between actions [MPS95]. In such timed games, each player chooses 
both which action to play, and when to play it. Timed games differ from their 
untimed counterparts in two essential ways. First, players can take each other by 
surprise, because actions are played with delays that cannot be anticipated by 
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the opponent. Second, a player should not be able to win the game by preventing 
time from diverging [SGSAL98,AH97]. We present a model of timed games that 
preserves the element of surprise and accounts for the need of time divergence. 
We study both the properties of the winning strategies and the algorithms for 
their construction. 

We consider two-player timed games that are played over a possibly infinite 
state space. In each state, each player chooses, simultaneously and independently 
of the other player, a move {A, a), indicating that the player wants to play the 
action a after a delay of A G IR>o time units. A special action, _L, signifies the 
player’s intention to remain idle for the specified time delay. Of the moves chosen 
by the two players, the one with the smaller delay is carried out and determi- 
nes the successor state; if the delays are equal, then one of the chosen moves 
occurs nondeterministically (this models the fact that, in real-time interaction, 
true contemporaneity cannot be achieved). This process, repeated for infinitely 
many rounds, gives rise to a run of the game. Our definition of moves preserves 
the element of surprise: a player cannot anticipate when the opponent’s action 
will occur in the current round. This contrasts with many previous definitions of 
timed games (e.g., [AH97,HHM99,dAHM01b,MPS95,AMPS98]), where players 
can only either play immediately an action a, or wait for a delay A. Such for- 
mulations may be simpler and more elegant for timed transition systems (i.e., 
one-player games), but in the case of two-player formulations, the element of 
surprise is lost, because after each delay both players have the opportunity to 
propose a new move. This allows a player to intercept the opponent’s move (Z\, a) 
just before the action a is carried out. We show that the element of surprise gives 
a distinct advantage to a player. In particular, we prove that there are simple 
reachability games that can be won under our formulation of moves, but not 
under the previous “no-surprise” versions. 

The objective for a player is given by a set <l> of desired game outcomes. A 
player achieves this goal if all game outcomes belong to For a timed game 
to be physically meaningful, a player should not be able to achieve a goal by 
stopping the progress of time. For instance, if consists of the set of runs that 
stay forever in a certain set U of states, and if player 2 has an action to leave 
U only after a delay of 4, then player 1 should not be able to win by always 
playing (0, T). Therefore, several conditions FFC'i(^) have been proposed in the 
literature to express when player i G {1,2} wins a timed game with goal <P. 

In [SGSAL98,AH97] the winning condition ITGi(^) is defined to be ^ fl 
{td D Blameless i), where td is the set of runs along which time diverges, and 
Blameless I is the set of runs along which player 1 proposes the shorter delay 
only finitely often. Glearly, player 1 is not responsible if time converges along a 
run in Blameless i. Informally, the condition states that player 1 must achieve 
the goal and moreover, either time diverges or player 1 is blameless for its 
convergence. This definition works if the goal ^ is a safety property, but not if 
it is a reachability or, more general, a w-regular property. To see this, observe 
that player 1 must achieve the goal even if player 2 stops the progress of time. 
Gonsider a game where the goal consists of reaching a set U of states, and where 
player 1 has an action leading to U which is always available once time advances 
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beyond 1. Then, player 1 cannot win: player 2 can stop time, preventing the 
action from ever becoming enabled, and ensuring that no run is in <1>. 

In [MPS95], the winning condition <PC\td is proposed. This condition requires 
player 1 to guarantee time divergence, which is not possible in models where 
player 2 can block the progress of time. In [dAHS02] , this condition is modified to 
= {<Pr\td)U Blameless i for player i G {1, 2}. While this is appropriate in 
the asymmetric setting considered there, the problem in our setting, where both 
players are treated completely symmetrically, is that the two conditions WC* (<?) 
and (“■<?) are not disjoint (here ~'(l> is the complementary language of <?). 
This means that there are games in which both players can win: for instance, 
player 1 can ensure <Pr\td, and player 2 can ensure Blameless 2 - Other works on 
timed games (e.g., [AMPS98,FLM02]) have avoided the issue of time divergence 
altogether by putting syntactic constraints on the game structures. 

We define timed games and their winning conditions in a completely sym- 
metric fashion, and in a way that works for all goals (in particular for all 
cc-regular goals) and ensures that players can win only by playing in a phy- 
sically meaningful way. The winning conditions we propose are WCi{<P) = 
(<? n td) U {Blamelessi \ td), for i G {1,2}. These winning conditions imply 
that WCi{<l>) n WC 2 {~^^) is empty, ensuring that at most one player can win. 
Note that there are runs that belong neither to WCi{(!>) nor to WC 2 {~^^)'- this 
contrasts with the traditional formulation of untimed games, where runs are 
either winning for a player with respect to a goal, or winning for the opponent 
with respect to the complementary goal. We argue that the lack of run-level 
determinacy is unavoidable in timed games. To see this, consider a run f along 
which both players take turns in proposing moves with delay 0, thus stopping 
the progress of time. If we somehow assign this run to be winning for a player, 
say player 1, then it would be possible to construct games in which the moves 
with delay 0 are the only moves available, and in which player 1 could nevert- 
heless win. This would go against our intention that a player can win only in a 
physically meaningful way. The lack of run-level determinacy also implies that 
there are states from which neither player can win. 

The form of the winning conditions for timed games have other important 
implications. We show that to win with respect to a reachability goal, in contrast 
to the untimed case, strategies with memory may be required. For safety goals, 
however, memoryless strategies suffice also in the timed case. We prove several 
additional structural properties of the winning strategies for timed games. For 
instance, we define a class of persistent strategies, in which players do not change 
their mind about the time of future moves when interrupted by a (Z\,T) move 
of the opponent. We show that persistent strategies always suffice to win games, 
for all possible goals. 

While we define timed games at first semantically, we also offer a timed- 
automaton-style [AD94] syntax for a specific class of timed games. We show 
that for these timed automaton games the winning states with respect to any ui- 
regular goal can be computed by a symbolic algorithm that iterates a controllable 
predecessor operator on clock regions. In particular, we prove that timed auto- 
maton games can be won using region strategies, where the players need only 
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remember the history of the game as a sequence of regions, rather than more pre- 
cisely, as a sequence of states. Furthermore, the problem of solving these games 
is shown to be, as expected [AH97], complete for EXPTIME. 

2 Timed Games 

2.1 Timed Game Structures 

A timed game structure is a tuple G = (S', Actsi, Acts2, A, A, <5), where 

— S is a set of states. 

— Acts I and Acts2 are two disjoint sets of actions for player 1 and player 2, 
respectively. We assume that _L ^ ActSi and write Actsj' = Actsj U{_L}. The 
set of moves of player i is given by Mi = IR>o x Acts^ . 

— For i = 1,2, the function Fi S ^ 2 ^' \ 0 is an enabling condition, which 
assigns to each state s a set A (s) of moves available to player i in that state. 

— 6 : S X (Ml U M2) I— >■ S is a destination function that, given a state and a 
move of either player, determines the next state in the game. 

We require that the move (0,_L) is always enabled and does not leave the state: 
(0,_L) G A(s) and <5(s,(0,_L)) = s for all s € S. Similarly to [Yi90], we require 
for all 0 < Z\' < Z\ and a G Acts^, that (1) {A, a) G A(s) if and only if 
{A', _L) G A(s) and {A - A', a) G A(<5(s, {A', _L))), and (2) if (5(s, {A', _L)) = s', 
and 5{s' , {A — A' , a)) = s" , then i5(s, {A, a)) = s" . 

Intuitively, at each state s £ S, player 1 chooses a move (Z\i, oi) G A(s), and 
simultaneously and independently, player 2 chooses a move (^2,02) G A(s)- If 
Z\i < A2, then the move (Z\i,ai) is taken; if Z\2 < Ai, then the move (^2,02) 
is taken. If Ai = A 2 , then the game takes nondeterministically one of the two 
moves (Z\i,ai) or (^2,02). Formally, we define the joint destination function 
6 : S X Ml X M 2 I— >■ 2'^ by 



|'{ 5 (s, (Z\i,ai))} if Z\i < A2, 

?(s, (Z\i,ai), (Z\2,a2)) = < {^(s> (^2, 02))} if Z\i > A2, 

y { 5 (s, (Z\i,ai)),< 5 (s,(Z\ 2 ,a 2 ))} if Ai = A2. 

The time elapsed when moves mi = {Ai,ai) and m2 = (A2,a2) are played 

is given by delay{mi,m 2 ) = min(Z\i, A2). For i G { 1 , 2 }, the boolean predi- 
cate Wi(s, mi, m2, s') holds if player i is responsible for the state change from 
s to s'. Formally, denoting with M = 3 — i the opponent of player i, we de- 
fine bli{s,mi,m2, s') iff both Ai < Ar^i and s' = 6 {s,mi). Note that both 
Wi(s, mi, m2, s') and bl2{s,mi,m2, s') may hold at the same time. 

An infinite run (or simply a run) of the timed game structure 1 / is a se- 
quence So, (m{, mi), si, (m2, ml), S2, . . . such that Sk G S, m\_^-^ G A(sfe), 
G A(sfc), and s^+i G 5 (sfc, m{_,_j^, m|^]^) for all /c > 0 . A finite run f 
is a finite prefix of a run that terminates at a state s; we then set last{f) = s. 
We denote by FRuns the set of all finite runs of the game structure, and by Runs 
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the set of its infinite runs. A finite or infinite run f = so> ^i)) si, • • • induces 
a trace states{f) = Sq, Si, . . . of states occurring in r. A state s' is reachable from 
another state s if there exist a finite run sq, {m\,m\), Si, . . . , s„ such that Sq = s 
and Sn = s'. 

A strategy for player i G {1,2} is a mapping TTj : FRuns i— >■ 
Mi that associates with each finite run sq, (m{, m{), si, . . . ,Sk the move 
7Ti(so, (w{, ), si, . . . , Sfc) to be played at Sk- We require that the strategy 

only selects enabled moves, that is, TTi{f) £ Fi{last{f)) for all r G FRuns. For 
i G {1,2}, let Fli denote the set of all player i strategies, and iT = ili U 772 
the set of all strategies. For all states s £ S and strategies tti G 77i and 
7T2 G 772, we define the set of outcomes Outcomes{s, 1 , 1 : 2 ) as the set of all 
runs So, {m\,m\), si, . . . such that sq = s, and for all fc > 0 and i = 1, 2, we have 
7Ti(so, {m\,m\), Si, . . . , Sk) = Note that in our timed games, two strate- 

gies and a start state yield a set of outcomes, because if the players propose 
moves with the same delay, a nondeterministic choice between the two moves is 
made. According to this definition, strategies can base their choices on the entire 
history of the game, consisting of both past states and moves. In Proposition 1 
we show that, to win the game, strategies need only consider past states. 



2.2 Timed Goals and Timed Winning Conditions 

We consider winning conditions given by sets of infinite traces. A goal ^ is a 
subset of 5”“; we write [(F\r = {f £ Runs \ states{f) G "P}. We write for the 
set \ P. We often use linear-time temporal logic formulas to specify goals; the 
propositional symbols of the formula consist of sets of states of the timed game 
[MP91]. We distinguish between the goal of a player and the corresponding 
winning condition. The goal represents the control objective that the player 
must attain; for instance, staying forever in a region of “safe” states. To win 
the game, however, a player must not only attain this goal, but also make sure 
that this is done in a physically meaningful way: this is encoded by the winning 
condition. To this end, we define the set of time divergent runs td as the set 
of all runs sq, (m{, m{), si, (m^, m^), S 2 , ■ • ■ such that = 

00. For i G {1,2}, we define the set of player i blameless runs Blamelessi as 
the set of all runs in which player i plays first (proposes a shorter delay) only 
finitely many times. Formally, Blamelessi consists of all runs Sq, (to), mf), Si, . . . 
such that there exists an n G N with ~'Wi(sfc, to{_|_]^, to^_,_j^, Sfc+i) for all k > n. 
Corresponding to the goal P, we define the following winning condition: 

WCi{P) : {td n [?7]r) U {Blamelessi \ td). 

Informally, this condition states that if time diverges, the goal must be met, and 
if time does not diverge, the player must be blameless. 

Given a goal P and a state s £ S, we say that player i wins from s the 
game with goal P, or equivalently, wins from s the game with winning condition 
WCi{P), if there exists a player i strategy tt^ G 77^ such that for all opposing 
strategies TTr.^i G 77..,^, we have Outcomes{s,TTi,TT 2 ) C WCi{P). In that case. 
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TTi G Ui is called a winning strategy. Given a goal we let (z)^ be the states from 
which player i can win the game with goal <1>. A state s is well-formed if for every 
state s' reachable from s, and each player i G {1,2}, we have s' G (z)S'“- States 
that are not well- formed are “pathological”: if a player cannot win the goal S'“, 
then he cannot ensure that the game outcomes are physically meaningful. 

3 Timed Automaton Games 

In this section, we introduce timed automaton games, a syntax derived from 
timed automata [AD94] for representing timed games. As in timed automata, a 
finitely specified timed automaton game usually represents a timed game with 
infinitely many states. A clock condition over a set C of clocks is a boolean 
combination of formulas of the form x:<cotx — y^c, where c is an integer, 
x,y G C, and ^ is either < or <. We denote the set of all clock conditions over 
C by ClkConds{C) . A clock valuation is a function k : C IR>o, and we denote 
by K{C) the set of all clock valuations for C. 

A timed automaton game is a tuple A = {Q,C, Acts\, Acts 2 ,E, 6 , p,Inv\, 
Inv 2 ), where: 

— Q is a finite set of locations. 

— G is a finite set of clocks which includes the unresettable clock z, which 
measures the time since the start of the game. 

^ Actsi and Acts 2 are two disjoint, finite sets of actions for player 1 and 
player 2, respectively. 

— E C Q X {Actsx U Acts 2 ) x Q is an edge relation. 

— 9 ■. E ClkConds(C) is a mapping that associates with each edge a clock 
condition that specifies when the edge can be traversed. We require that for 
all {q, a, qi), {q, a, 92 ) G E with qi yf q 2 , the conjunction 9{q, a, qi)/\9{q, a, ( 72 ) 
is unsatisfiable. In other words, the game move and clock values determine 
uniquely the successor location. 

— p-.Ee^ 2C\I^} is a mapping that associates with each edge the set of clocks 
to be reset when the edge is traversed. 

— Invi,Inv 2 : Q — >■ ClkConds(C) are two functions that associate with each 
location an invariant for player 1 and 2, respectively. 

Given a clock valuation k : C 1 -^ IR>o and A G IR>o, we denote by k A the 
valuation defined by {k A){x) = k{x) A for all clocks x G C. The clock 
valuation k : C IR>o satisfies the clock constraint a G ClkConds{C), written 
«; 1= Of, if the condition a holds when the clocks have the values specified by 
K. For a subset D C_ C oi clocks, n[D := 0] denotes the valuation defined by 
n[D := 0](a:) = 0 A x G D, and by k[D := 0](a;) = n{x) otherwise. 

The timed automaton game A induces a timed game structure |A], whose 
states consist of a location of A and a clock valuation over C. The idea is the 
following. A player i move {A, T) is enabled in state {q, k) if either A = 0 or 
the invariant Invfiq) holds continuously when we let A time units pass, that 
is, K A' \= Invi(q) for all A' < A. Taking the move (A,T) leads to the 
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state {q,K + A). For a G Actsi, the move {A, a) is enabled in (g, k) if (1) the 
invariant InVi{q) holds continuously when we let A time units pass, (2) there is 
a transition {q, a, q') in E which is enabled in the state {q, k + A), and (3) the 
invariant Invi(q') holds when the game enters location q'. The move {A, a) leads 
to the state {q', k'), where k' is obtained from k + A hy resetting all clocks in 
p{q,a,q'). 

Formally, the timed automaton game A = {Q,C, Actsi, Acts 2 , E,9, p, Invi, 
Inv 2 ) induces the timed game structure |Al] = {S,Actsi,Acts 2 ,Ei,r 2 , 6 )- Here, 
S = Q X K{C) and for each state {q, k) £ S, the set Fi((g, k)) is given by: 

Ei{{q, k)) = {(Z\, a) G I VZ\' G [0, Z\] . «; + Z\' ^ InVi{q) A 

(a yf _L 3g' G Q . {{q, a, q') £ E A {k + A) \= 0{q, a, q') A 

{k + A)[p{q,a,q') :=0]\= Inv^{q')))} U {(0,_L)}. 

The destination function S is defined by 6 {{q, k), (Z\,T)) = {q,K+ A), and for 
a G Actsi U Acts 2 , by S{{q, k), {A, a)) = {q' , n'), where q' is the unique location 
such that (g, a, q') G E and {n+A) ^ 9{q, a, q'), and k' = {n+A)[p{q, a, q') := 0]. 
A state, a run, and a player i strategy of A are, respectively, a state, a run, and 
a player i strategy of |A] . We say that player i wins the goal <P C from state 
s G 5 in A if he wins from s in |A]. We say that s is well- formed in A if it is 
so in |A] . 

Regions. Timed automaton games, similarly to timed automata, can be analyzed 
with the help of an equivalence relation of finite index on the set of states. Given 
a timed automaton game A, for each clock x £ C, let Cx be the largest constant 
in the guards and invariants of A that involve x, where Ca, = 0 if a; does not 
occur in any guard or invariant of A. Two clock valuations ki,K 2 are clock 
equivalent if (1) for all x £ C, either = Yk 2 {x)\ or both [ki(x)J > Cx 

and [k 2 {x)\ > Cx, (2) the ordering of the fractional parts of the clock variables 
in the set {z} A {x £ C \ n\{x) < Cx} is the same in m and K 2 , and (3) for all 
X G {{z} U {y £ C \ Ki{y) < Cy}), the clock value Ki{x) is an integer if and only 
if K2{x) is an integer. A clock region is a clock equivalence class, and we write 
[k] for the clock equivalence class of the clock valuation k. Two states {qi,K\) 
and (q 2 ,K 2 ) are region equivalent, written {qi,K\) = (q 2 ,K 2 ), if (1) qi = 92 and 
(2) Ki and K 2 are clock equivalent. A region is an equivalence class with respect 
to =; we write [s] for the region containing state s. 



4 Structural Properties of Winning Strategies 



We now consider structure theorems for strategies in timed automaton games. 
Throughout this section, oi is an action for player 1, and 02 one for player 2. 
For a location p in a timed automaton game A with clock set C, we let Op = 
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<>{{p, k) \ K € K{C)} and Op = □{(p, k) \ k € K{C)}} Moreover, 0 denotes the 
valuation that assigns 0 to all clocks in C. 

Determinacy. A class C of timed game structures is strongly determined (res- 
pectively, weakly determined) for a class T of goals if the following holds for 
every structure G G C, every goal <l> G if, all well-formed states s, and each 
player i G {1,2}: if player i cannot win WCi(^) from s, then there exists a 
player strategy 7r^i G U^i such that for all player i strategies tTi G Ui, we 
have Outcomes 2 ) C\ 0 (respectively. Outcomes {s,tti, 1 : 2 ) 2 

WCi{<P)). Note that this condition is trivially false for non-well-formed states, 
because one player cannot win the goal and the other player surely cannot 
win the goal 0 . We let the class of reachability goals be all goals of the form OT. 

Theorem 1. The timed automaton games (and hence, the timed game struc- 
tures) are neither weakly, nor strongly, determined for the class of reachability 
goals. 

The following example exhibits a timed automaton game and a goal such 
that player 1 cannot win (1)^, but player 2 does not have a strategy to enforce 
WC 2 {~^^) (strong) or -^WC\{T>) (weak), even if player 2 can use the nondeter- 
ministic choices to his advantage. 

Example 1. Consider Fig. 1(a). It is clear that player 1 does not have a 
winning strategy for WCi{Oq) from state (p, 0). To prove that this game is not 
strongly determined, we show that no matter which strategy 7T2 is played by 
player 2, player 1 always has a strategy tti such that Outcomes{{p,0) , tti, 772 ) (T 
WC 2 {-'Oq) = 0 . If 7T2 proposes a delay A 2 > 1, then tti plays the move (Z\i, oi) 
for Z\i = 1 -I- (Z \2 — l)/2; if tt 2 proposes a delay A 2 < 1, then tti proposes move 
(1, _L). Let f G Outcomes{{p, 0), tti, 7T2). Then, either f contains a player 2 move 
with a positive delay, in which case q is reached, or player 2 plays (0,_L) moves 
forever and is not blameless, i.e., f ^ Blameless 2 - In either case, f ^ WC 2 {-'Oq). 
In a similar way, one shows that the game is not weakly determined. 

Memoryless Strategies. Memoryless strategies are strategies that only depend 
on the last state of a run. Formally, a strategy tt G 77 is memoryless if, for all 
f, r' G FRuns, we have that last{f) = last{f') implies 7r(f) = Tr(f'). For i G (1, 2}, 
we often treat a memoryless strategy for player i as a function in S' 1 — >■ Mi by 
writing -Ki(last{f)) instead of 7ri(f). In the untimed case, memoryless strategies 
are sufficient to win safety and reachability games. In timed games, memoryless 
strategies suffice to win safety games, i.e., goals of the form WCi{OT)-, however, 
winning strategies in reachability games (goals of the form WCi{OT)) in general 
do require memory. 

^ We use the standard LTL operators <>T and OT to denote, respectively, the set of 
traces that eventually reach some state in T, and the set of traces that always stay 
in T [MP91]. 
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a2,x>l,x:=0 x = 0 a\ O2,x:=0 

(a) Undetermined. (b) Memory needed. (c) Surprise needed. 

Fig. 1. Games with winning condition WCi{Oq), where ai € Actsi and 02 G ActS2 



Theorem 2. 

1. For every well-formed state s of a timed game structure Q , and every set 
T of states of G, if player i has a strategy to win WCi{F\T) from s, then 
player i has a memoryless strategy for winning WCi{UT) from s. 

2. There exists a timed automaton game A, a state s of A, and a set T of 
states of A such that player i has a strategy to win WCi{<>T) from s, hut no 
memoryless strategy for winning WCi{<>T) from s. 

The following example proves part 2. 

Example 2. Consider the game in Fig. 1(b). Player 1 has a winning strategy 
for WCi{<yq) from (p, 0), but not a memoryless one: to win, he needs to remem- 
ber whether q has been visited already. If so, then he has to let time pass, and 
if not, a visit to q has to be made before letting time pass. Let tt ■. S ^ Mi be 
a memoryless strategy for player 1. It is easy to see that, if 7r((p, 0)) = (Z\, _L), 
then q will never be reached, and otherwise, if 7r((p, 0)) = (0, ai), then time will 
not progress, while tt does not ensure that player 1 is blameless. Hence, player 
1 cannot win WCi{<>q) with a memoryless strategy. 

No-Surprise Strategies. A no-surprise strategy is a strategy that plays only two 
kinds of moves: either time steps (action _L, with any delay), or actions with 
delay 0. Formally, a strategy tt G 77 is no-surprise if for all r G FRuns either 
7r(f) = (0, a) with a G Acts, or 7r(f) = (2\,_L) with A G IR>o. The following 
theorem shows that there are cases where surprise is necessary to win, even 
when the goal is a reachability property, and player 2 is restricted to no-surprise 
strategies as well. 

Theorem 3. There is a timed automaton game A, a state s of A, and a goal 
<F such that player 1 has a strategy to win WCi{T>) from s, hut there is no no- 
surprise strategy tti G 77i such that for all no-surprise strategies tt 2 G TI 2 , we 
have Outcomes{s,TTi,TT 2 ) C WCi{<F). 

The proof is given by the following example. 

Example 3. Consider Fig. 1(c). Player 1 has a strategy to win WCi{Oq) from 
state {p,0). For instance, he can play 7ri(f) = if contains n visits 
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to p and it ends in {p,n) with k{x) + < 1; &nd play 7ri(f) = (1,-L) in all 

other cases. Let tt 2 € II 2 and f be a run in Outcomes{{p, 0), tti, 7T2). If one of his 
moves (^,ai) is taken in f, then player 1 clearly wins, that is, f G WCi{Oq). 
Otherwise, if none of these moves is ever carried out in f, then player 1 is 
blameless and, as ^ does not diverge, so f G WCi{Oq) as well. 

However, player 1 does not have a no-surprise strategy to win WC\{Oq) 
from (p, 0). All no-surprise player- 1 strategies tti lose against player 2 playing 
the no-surprise strategy 7T2 defined by 7T2(r) = (0,02) if r = 7712)5 and 

rrn = (Z\,_L); and 7T2(r) = (1,-L) otherwise. This is because, in order to enable 
oi, player 1 has to increase x by taking some move {A, _L) first. However, imme- 
diately after he does so, player 2 plays (0,02), thus resetting x. As a result, q is 
never reached, and both players play infinitely often, so tti cannot ensure that 
player 1 is blameless. 

Move Independence. A strategy tt G 7T is move independent if, for all f, r' G 
FRuns, we have that states{f) = states{f') implies 7r(f) = Tr(f'). We show that 
move independent strategies suffice to win a timed automaton game. Note that, 
for w-regular goals, this result follows immediately from the strategies derived 
from the p-calculus solution for these games; see Sect. 5. 

Proposition 1. Let A he a timed automaton game and s be a state of A. For 
every goal <L, if player i has a strategy to win WCi{(F) from s, then player i has 
a move independent strategy for winning WCi{(F) from s. 

Persistence. Persistent strategies are strategies that stick with their choices, even 
if they are interrupted by a move (Z\, _L) (or another move with the same effect) 
of the opponent. Formally, a persistent player 1 strategy is a strategy tt G 7Ti such 
that for all finite runs f = r's(mi, 7712)5' with mi = (Z\i, ai), m 2 = {A 2 , 02), and 
s' = S{s, (A2, -L)), we have (1) if A 2 < Ai, then 7r(f) = (Z\i — Z\2, oi), and (2) if 
Oi yf _L and Ai = A 2 , then 7r(f) = (0,Oi). The persistent player 2 strategies are 
defined symmetrically. Consider a finite run f = f' s{m\,m 2 )s' . Assume that, in 
f's, player 1 likes to play the move Tr(f's) = (Ai, oi), but is interrupted because 
player 2 plays a move (Z\2,_L) with A 2 < Ai. After (^2,02) has been taken, 
a persistent strategy requires player 1 to play the portion of his previous move 
(Z\i,oi) which was not carried out; that is, player 1 must play {Ai — Z\2,ai), 
unless Z\i = A 2 and a\ = T. Persistent strategies suffice to win timed games. 

Theorem 4. Let Q he a timed game structure and s be a state of Q . For every 
goal <P, if player i has a strategy to win WCi{<F) from s, then player i has a 
persistent strategy for winning WCi{<F) from s. 

5 Solving Timed Automaton Games 

In this section, we show how timed automata games can be solved with respect 
to w-regular goals via the equational /x-calculus. We consider a goal that is spe- 
cified by an parity automaton over the set of locations of the timed automaton 
game, and based on this, we construct another parity automaton that encodes 
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the winning condition. Finally, from the automaton that encodes the winning 
condition we obtain a ^-calculus formula that, evaluated over the timed automa- 
ton game, defines the winning states of the game. Since the y^-calculus formula 
preserves the regions of the timed automaton game, it provides an algorithm for 
solving timed automaton games. 



5.1 Representing Goals and Winning Conditions 

Consider a timed automaton game A with locations Q and clocks C. A goal 
^ C (Q X K(C))‘^ of A is a location goal if it is independent of clock va- 
luations; that is, if (^oj ^o)(<Zi: '^i) ■ ■ ■ G then for all Kq, k'^, ..., we have 
{qo, Kg)(< 7 i, •••€<?. Since location goals depend only on the sequence of loca- 

tions, we view, with abuse of notation, a location goal to be a subset of We 
consider in this section location goals that are u-regular subsets of [Tho90]. 
Such location goals can be specified by means of deterministic parity automata 
over the alphabet Q [EJ91]. A parity automaton (also known as Rabin-chain au- 
tomaton) of order k over the alphabet A is a tuple H = (P, Pq, E, t, £, f2), where 
P is the set of locations of the automaton, Pq C P is the set of initial locations, 
r : P I— 2^ is the transition relation, £ : P ^ E assigns to each location p G P 
a symbol £{p) of the alphabet E, and £2 : P i-G {0, ... ,2k — 1} assigns to each 
location p G P an index £2{p). 

An execution of H from a source location po G P is an infinite sequence 
Pq,Pi,P 2 , . . . of automaton locations such that pj+i G r(pj) for all j > 0; if po G 
Pq, then the execution is initialized. The execution a = po,pi,p 2 , . . . generates 
the trace £{a) = £{po) , £{pi) , £{p 2 ) , ■ ■ ■ of symbols of E. Given an execution 
a = po,pi,p 2 , . . . , we denote by Maxlndex{£2, a) the largest j G {0, . . . ,2k — 
1} such that £2{pi) = j for infinitely many i. The execution a is accepting if 
Maxlndex{£2 , a) is even. The language £{H) is the set of traces p G A“ such 
that H has an initialized accepting execution a that generates p. The automaton 
H is deterministic and total if (la) for all locations pi,P 2 G Pq, if pi ^ P 2 , then 
^(Pi) ^ ^{P 2 )', (lb) for all symbols a G E, there is a location p G Po such that 
£{p) = ct; (2a) for all locations p\ G P and P 2 ^Ps G t{Pi)^ if P 2 ^ Ps, then 
£{P 2 ) yf £{P 3 )', (2b) for all locations p\ G P and all symbols a G E, there is a 
location p 2 G r(pi) such that £{p 2 ) = a. li H is deterministic and total, then 
we write r(pi,cr) for the unique location p 2 with £{p 2 ) = cr. Deterministic and 
total parity automata suffice for recognizing all w-regular languages [Tho90]. 
We denote by |P| = |P| the size of the automaton, measured as its number of 
locations, and by |P|, its order k. 

Let A be a timed automaton game with the set Q of locations, and let be 
a goal that is specified by means of a deterministic and total parity automaton 
P<z> = {P,Po,Q,t,£, £}) over the alphabet Q such that = <P. The first 

step towards deriving a /x-calculus formula for computing the winning states of 
A with respect to (P represents the conditions td and Blameless i as w-regular 
conditions. To this end, we consider an enlarged state space S = S x {t, f}^, 
and an augmented transition relation S : S x Mi x M 2 1 — >■ 2^ . Intuitively, in 
an augmented state (s, tick, hi) G S, the component s G S' is a state of the 
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original game structure |^] , tick is true if in the last transition the global clock 
0 has crossed an integer boundary, and bl is true if player 1 is to blame for the 
last transition. Precisely, we let {{q' , K'),tick' ,bl') € 6{{{q, k), tick, bl), 1711 , 1712 ) 
iff {q',K') G ^((g, k), TOi, m 2 ), tick' = t iff there is n G IN such that k{z) <tl< 
k'{z), and bl' = t iff bl\{{q, k) , mi,m 2 , {q' , n')). The set td corresponds to the 
runs along which tick is true infinitely often, and the set Blameless i corresponds 
to the runs along which bl is true only finitely often. Once time divergence and 
blame are thus encoded, the winning condition WCi{<d>) can be specified by a 
parity automaton i?wCi(<s) with the alphabet S = Q x {t,f}^ and language 

( (go, ticko, bio), 

= I {qi,ticki,bli), 



The automaton = (^, ^ 0 , f, f, O) is derived from the automa- 

ton H,p as follows. Let k be the order of H^. We have P = P x {t, f}^ x 
{0, ... ,2k — 1}; intuitively, a location {p, tick, bl, /i) G P is composed of a 
location p G P, of two boolean symbols representing the value of tick and 
bl at the location, and of an integer h that keeps track of the maximum in- 
dex of the locations of H,p that have been visited between two occurrences of 
tick = T. For (p,tick,bl,h) G P, we define £{{p,tick,bl,h)) = {£{p) , tick , bl) , 
and we let {p,tick,bl,h) G Pq iff p G Pq. For all p G P, bl G {t, f}, and 
h G {0, . . . , 2/c — 1}, we have {p',tick' ,bl' ,h') G r{{p,F,bl,h)) iff p' G r(p) 
and h' = max{/i, I7(p')}, and we have {p' , tick' , bl' , h') G T{{p,T,bl,h)) iff 
p' G t(p) and h' = £2{p'). The index function f? : P i-G- {0, . . . , 2/c -I- 1} 
is defined, for all p G P, all bl G {t,f}, and all h G {0,... ,2fc — 1}, by 
£2{{p, F, F, h)) = 0, £2{{p, F, T, h)) = 1, and I2((p, T, bl, h)) = h+2. For all executi- 
ons a = {po,ticko,blo,ho),{pi,ticki,bli,hi),{p 2 ,tick 2 ,bl 2 ,h 2 ),... of HwCi(^), 
let a = po,pi,p 2 , .. . be the corresponding execution in H^,. We can show that 
(a) if there are infinitely many j such that tickj = T, then Maxlndex{f2, a) = 
Maxlndex{n, a) + 2; (b) if there is fc G IN such that tickj = blj = F for all j > k, 
then Maxlndex{f2,a) = 0; and (c) in all other cases (i.e., when tickj holds for 
only finitely many values of j, but blj holds for infinitely many values of j), we 
have Maxlndex{ f2 , a) = 1. Together, these facts lead to (1). 

Lemma 1. Given H.^, we can construct a deterministic and total parity au- 
tomaton satisfying (1) such that |PvFCi(<f)l = 4 • |Pg>| • |Ps>|» and 

\HwCi('i>)\* = -\- 1 . 

5.2 A /x-Calculus Formula for the Winning States 

For all (p,tick,bl,h) G P, we let (.Q{{p,tick,bl,h)) = £{p) G Q, 

it{{p,tick,bl,h)) = tick, and £b{{p,tick,bl,h)) = bl. The fixpoint formula 
that solves the game with goal is constructed as follows [dAHMOla]. The 



(go, gi, • • • G A Vfc G N . > fc . tickj) 

V 

3fc G N.Vj > k . {-<blj A -itickj) 

( 1 ) 
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formula is composed of blocks Bq,--- ,B2k+i, where Bq is the innermost 
block and ^62^+1 the outermost block. The formula uses the set of variables 
{x^ \ p £ P,j G {0, . . . ,2k + 1}} U {y}, which take values in 2‘®, where S is the 
set of states of the game structure A. The block Bq is a i/-block which consists 
of all equations of the form 



xl={eQ{p)xK{C))nCPreA \/ xt^^^xUpf) xU^) 

\p'&T{p) 

for p £ P, where C is the set of clocks of A. For 0 < j < 2fc + 1, the block Bj 
is a ^-block if j is odd^ and a j/-block if j is even; in either case it consists of 
the set of equations | p G P}. The block ^62^+1 consists of the set of 

equations {x2^._|_i = x^f. \ p £ P} U {1/ = VpgPo output variable is y. 

The operator CPrei : S S is^the controllable predecessor operator, defined 
by 3mi £ Pi(s).Vm2 £ 12(5) . <5(s, mi, m2) £ X. Intuitively, for s £ S and 
X C S', we have that s £ CPrei(X) if player 1 can force the augmented game to 
X in one move. As an example, consider the set X = (Xi x {f} x {t}) U (X2 x 
{f} X {f}) for some X C S. Then, s £ CPrei{X) if player 1 has a move such 
that, whatever the move played by player 2: either (a) the game proceeds to Xi, 
the global clock z does not advance beyond an integer boundary {tick = f), and 
player 1 is blamed (W = t); or (b) the game proceeds to X2, the global clock z 
does not advance beyond an integer boundary, and player 1 is not blamed. The 
implementation and properties of operator CPre\ are discussed below. Note that 
the formula depends only on H,^, but not on the timed game structure over 
which it is evaluated (except trivially via the product with K{C), which is simply 
the set of all clock valuations). Denote by C S the fixpoint valuation of 

y over the timed game structure |A] . Lemma 2 enables the computation of the 
winning states of the game with respect to player 1; the winning states with 
respect to player 2 can be computed in a symmetrical fashion. 

Lemma 2. We have (1)^ = 

5.3 The Controllable Predecessor Operator 

The operator CPre\ can be computed as follows. For X C S, write X = (X-p x 
{t})U(Xf X {f}), for Xp, Xp C Sx {t, f}. Intuitively, Xp (resp. Xp) represents 
the portion of X that corresponds to the case where bl is T (resp. f). Then, 
s G C'Prei(X) if and only if: 



3 (Al, oi) G Pi{s) . 

V(A2,a2) G T 2 (s) . (^^2 < Al (<5(s,(A2,a2)),ttcfc(s, A2)) G Xp) A 

(^((5(s, {Ai,ai)),tick{s, Ai)) G Xp V V (A2, 02) G r2(s) . A2 < Ai^ , 
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where tick{{q, k), A) is T iff k{z) < n < k{z) + A, for some integer n. In words, 
the above formula states that there is a player 1 action that, played with delay 
Z\i, leads to X^; moreover, all actions of player 2, if played with delay up to 
Z\i, lead to Xp. The following lemma states that the controllable predecessor 
operator preserves regions for timed automaton games. 

Lemma 3. For n > 0, consider X = ljj=i(^j ^ {tickj} x {blj}), where for 
^ ^ j ^ n, the set Xj is a region, and tickj, blj € {t, f}. Then, CPre\{X) is a 
union of regions. 

5.4 Putting It All Together 

From the constructions of the previous subsections, we obtain the following de- 
cidability result for timed automaton games with w-regular location goals. 

Theorem 5. Consider a timed automaton game A with the set Q of locations, 
and a parity automaton iJ<i> that specifies a location goal C Let C be the 
set of clocks of A, let m = \C\, and let c = maxjcj, | x € C}. Then, the set of 
winning states {l)d> can be computed in time 0((|Q| • m! • 2™ • (2c -I- 1)™ • \H$\ ■ 

Corollary 1. The problem of solving a timed automaton game for a location 
goal specified by a parity automaton is EXPTIME-complete. 

EXPTIME-hardness follows from the EXPTIME-hardness for alternating reach- 
ability on timed automata [HK99]. Membership in EXPTIME is shown by the 
exponential-time algorithm outlined above. The algorithm for solving timed au- 
tomaton games can also be used to simultaneously construct a winning strategy 
for player 1, as in [dAHMOlb]. The winning strategies thus constructed have 
the following finitary structure. Two finite runs f = sq, {m\,m\), s\, . . . ,Sk and 
r' = s't^,{m'\,m'\),s'i,. . . ,s'f. of the same length are region equivalent, written 
r = r' , if for all 0 < j < k, we have [sj] = [s']. A strategy is a region strategy 
if, for region equivalent finite runs, it prescribes moves to the same region. For- 
mally, a strategy tt G iT is a region strategy if for all f,f' € FRuns, we have 
that f = f' implies d{last{f),Tr{f)) = 6{last{f),Tr{r')). Since the CPrei opera- 
tor preserves regions, we can show that the strategy constructed by the above 
algorithm does not distinguish between region equivalent runs, and hence, the 
constructed strategy is a region strategy. 

Theorem 6. Let A be a timed automaton game and s a state of A. For every 
Lo-regular location goal <P, if player i has a strategy to win FFCi(^) from s, then 
player i has a region strategy for winning WCi{<F) from s. 
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Abstract. We identify a necessary condition for when a given BPP process can be 
expressed as a BPA process. We provide an effective procedure for testing if this 
condition holds of a given BPP, and in the positive case we provide an effective 
construction for a particular form of one-counter automaton which is bisimilar to 
the given BPP. This in turn provides the mechanism to decide bisimilarity between 
a given BPP process and a given BPA process. 



1 Introduction 

During the last decade, a great deal of research effort has been devoted to the study of 
decidability and complexity issues for checking semantic equivalences, in particular 
bisimilarity, between various classes of processes. There have been several surveys 
presenting this work (eg, [16,13,12]), including a major Handbook chapter [3]. There 
is even now a project devoted to maintaining an up-to-date comprehensive overview of 
the state-of-the-art in this dynamic research topic [19]. 

Example classes of processes of particular interest in this study are pushdown auto- 
mata, Petri nets, and the process algebra PA. Some milestones in the study, beginning 
with the decidability of bisimilarity over normed BPA [1] include the undecidability of 
bisimilarity over Petri nets [10]; the decidability of bisimilarity over normed PA [7]; and 
the decidability of bisimilarity over the class of strict deterministic grammars (a parti- 
cular formulation of deterministic pushdown automata) [23]. This final result reinforces 
Senizergues’ solution [18] to the long-standing equivalence problem for deterministic 
pushdown automata. A closely related result is the decidability of bisimilarity over state- 
extended BPA [17,22]. 

The motivation for the present study is to work towards a generalization of the 
above decidability result for normed PA to the whole class of PA processes. The process 
algebra PA includes operators for composing terms both sequentially and in parallel, and 
as described by Hirshfeld and Jerrum in [7], there are surprising interactions between 

* The first two authors are supported by the Grant Agency of the Czech Republic, grant No. 

201/03/1161. 
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sequential and parallel compositions. Indeed, one can express the sequential composition 
Xi -X 2 of two terms Xi and X 2 as a parallel composition Vi 1 11^2 of two other terms Yi 
and Y 2 in infinitely-many ways, using terms of unbounded complexity. By restricting 
to normed process terms, Hirshfeld and Jerrum were able to develop a structural theory 
which allowed them, in effect, to finitely characterize the infinite set of solutions to 
the equivalence Xi-X 2 = 1 ^ 111 ^ 2 , and then use this characterization to provide their 
decidability result. However, it remains open as to how to extend their techniques to the 
unnormed PA case. 

The process class BPA represents the subset of PA involving only sequential compo- 
sition, while BPP represents the subset involving only parallel composition. As such, in 
light of the above observations, it becomes natural to consider the problem of comparing 
an arbitrary BPA term with an arbitrary BPP term. Decidability between such a pair of 
terms in the normed case of course follows from the above result, though this problem 
was already settled in [2,5]. 

Bisimulation checking over normed process classes has typically proven to be far 
more tractable than over unnormed processes. For example, over both the BPA and BPP 
process classes, unique decomposability results in the spirit of [15] hold over the normed 
subclasses which allow for polynomial decision procedures in each case [8,9]. Though 
decidability of bi similarity in the unnormed cases has been known for some time, bounds 
on their complexity have been elusive. Recently both problems have been shown to be 
PSPACE hard [20,21], and even more recently the problem for BPP has been shown 
to be PSPACE-complete [11]. Various novel techniques are developed in each of the 
above papers which contribute towards an understanding of the nature of these classes 
of sequential and parallel process. 

In this paper we continue the exposition of these classes of processes and consi- 
der the problem of when an arbitrary BPP process can be expressed as a BPA process 
term. To this end, we identify a property of (arbitrary) processes which cannot be mo- 
delled “sequentially”; essentially this property entails encoding two distinct, unrelated 
and sufficiently-large integer values. If our given BPP process can be expressed as a 
BPA term, then clearly it is necessary that the process does not possess this property. 
Furthermore, we demonstrate how to test if a given BPP process possesses this property, 
and in the case that it does not, we provide an effective construction of an equivalent 
one-counter automaton. As one-counter automata and BPA both constitute subclasses 
of state-extended BPA, we arrive at the decidability of bisimilarity between BPA and 
BPP processes from the afore-mentioned decidability of bisimilarity over state-extended 
BPA. 

The structure of the paper is as follows. In Sect. 2 we present various preliminary 
definitions, and in Sect. 3 we explore the structure of BPA processes and provide the 
crucial technical result of the paper. Finally, in Sect. 4 we prove our decidability result by 
characterizing when a BPP process abides by the structural restrictions of BPA processes 
exposed in Sect. 3, and then demonstrating how to decide equivalence to a given BPA 
process in the case where this is true. 
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2 Preliminary Definitions and Results 

2.1 Processes and Norms 

Formally, a process is represented by (a state in) a labelled transition system defined as 
follows. 

Definition 1. A labelled transition system (LTS) is a triple S = {S, Act, — where S 
is a set of states. Act is a finite set of actions, and Q S x Act x S is a transition 
relation. 

We write s A- s instead of (s, a,s) € —>■ and we extend this notation to elements of 
Act* in the natural way. We also use s — >■ s to mean s A s for some a € Act. A state s 
is reachable from a state s if s — >■* s, that is, if s ^ s for some w G Act*. 

The notion of “behavioural sameness” between two processes can be formally cap- 
tured in many different ways (see, e.g., [6] for an overview). Among those behavioural 
equivalences, bisimulation equivalence enjoys special attention. Its formal definition is 
as follows. 

Definition 2. Let S = {S, Act, -Gs) and T = {T, Act, -Gp) be transition systems de- 
fined over the same action set Act. A binary relation TZ Q S x T is a bisimulation 
relation iff whenever (s, f) G R, we have that 

— for each transition s As s there is a transition t Ap t such that (s,t) G TZ; and 

— for each transition t Ap i there is a transition s As s such that (s,t) G TZ. 

Processes s and t are bisimulation equivalent (bisimilar), written s ^ t, iff they are 
related by some bisimulation. 

An important subclass of processes are the normed processes, which are those for 
which from any state there is a sequence of transitions leading to a state having no 
transitions leading out of it; the norm of a process state is then traditionally defined to 
be the length of a shortest sequence of transitions leading to such a deadlocked state. 
We can generalize the notion of a norm as follows. (We let IN = {0, 1,2,.. .} represent 
the set of natural numbers, IN;,; = IN U {uj}, and IN(,;__i = IN U {oj, —1}, where 
ui-\-u} = u!-\-k = u} — k = uj — uj = oj, and k < uj,uj < oj for every A: G IN U {—1}-) 

Definition 3. Let S = (S', Act, -g) be a transition system, and d : S ^ IN^,; a function. 
We say that d is a norm iff for all s G S we have the following: 

- If s -G s', then d{s') > (i(s) — 1; and 

- IfO < (i(s) < OJ, then there is s s' such that d{s') = d{s) — l. 

In the latter clause, we call such a transition a d-reducing transition. 

It is possible to construct new norms out of already existing ones; for example, if 
d and d' are norms, then so is min(d, d'). For our purposes, the following construction 
is particularly important. Firstly, for all s, s' G S we define the distance from s to s', 
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denoted dist{s, s'), to be the length of a shortest sequence of transitions leading from 
state s to state s': 



dist{s, s') = min { length{w) : s ^ s' }. 

Adhering to the convention that min 0 = w, we note that dist{s, s') = io when there is 
no such sequence. 

Given a tuple of norms JF = {di , . . . , each transitions A s' determines a unique 
change of T, denoted 6^{s A s'), which is a fc-tuple of values from IN;^ _i defined by 
5^{s A s') = (di(s') — di(s), . . . , dfe(s') — A(s)). For each triple (a, T, d), where 
a G Act, T = (di, . . . , dfc) is a tuple of norms, and d G IN^ we define the function 
dd(a,j^, 5 ) '■ S -G lN;j to be the distance to a state for which all norms of T are finite, and 
for which there is no a-transition with the change d: 

dd(o jr, 5 )(s) = min { dist{s, s') : d^(s') io for all i, and 

d^(s' As") d for all s' As"}. 



Obviously, each such dd(a,F,s) is a norm. 

Some norms are not semantically relevant in the sense that bisimilarity does not ne- 
cessarily preserve them. In this paper we are mainly interested in bisimulation-invariant 
norms. 

Definition 4. We say that a given norm d is bisimulation-invariant if s ^ s' implies 
d(s) = d(s'). 

A simple example of a bisimulation-invariant norm is the function dda (where a G Act) 
defined as follows: 

dda(s) = min { dzsf(s, s') : s' }. 



Definition 5. The set of DD-functions is defined inductively as follows: 

— dda is a DD-function for every a G Act; 

— if fF = (di, • • • , dfc) is a tuple of DD-functions, d G IN* and a G Act, then 
dd(a,j^,s) is also a DD-function. 

A simple observation is that if di, ■ ■ ■ ,dk are bisimulation-invariant norms, then dd(a,. 7 :-, 5) 
is also a bisimulation-invariant norm for each triple (a, T , d). This in turn implies that 
all DD-functions are bisimulation-invariant. For each DD-function d we further define 
the sets D{d) and C(d) of all DD-functions and changes which are employed during the 
construction of d: 

- V{dda) = C{dda) = 0 for every action a; 

- if d = ddt^a,r,s)^ where F = {d\, - ■ ■ , df), then 

• D{d) = D{di) U • • • U D{dk) U {di, • • • , dfc}, 

• C(d) = C(di) U • • • U C(dfc) U {d}. 
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2.2 BPA, BPP, Petri Nets, and One Connter Antomata 

A BPA process is defined by a context-free grammar in Greibach normal form. Formally 
this is given by a triple G = (V, A, F), where F is a finite set of variables (nonterminal 
symbols), A is a finite set of labels (terminal symbols), and F Q V x A x V* is & 
finite set of rewrite rules (productions); it is assumed that every variable has at least one 
associated rewrite rule. Such a grammar gives rise to the LTS Sq = {V * , A, — >^) in which 
the states are sequences of variables, the actions are the labels, and the transition relation 
is given by the rewrite rules extended by the prefix rewriting rule: if (X, a,a) G F then 
X/3 A a/3 for all /3 € V^*. In this way, concatenation of variables naturally represents 
sequential composition. 

A BPP process is defined in exactly the same fashion from such a grammar. However, 
in this case elements of V* are read modulo commutativity of concatenation, so that 
concatenation is interpretted as parallel composition rather than sequential composition. 
The states of the BPP process associated with a grammar are thus given not hy sequences 
of variables but rather by multisets of variables. 

In either case, BPA or BPP, the usual notion of the norm of a state a G V*, denoted 
\a\, is the length of a shortest path to the empty process e: |a| = dist{a,e). If all 
variables of the underlying grammar have finite norm, then the process is said to be 
normed; otherwise it is unnormed. 

As an example. Fig. 1 depicts the (normed) BPA and BPP processes defined by fhe 
same grammar given by fhe fhree rules A A AB, A A £ and i3 A £. If can easily be 
shown [3] fhat fhe BPA process cannot be expressed by any BPP process, and equally the 
BPP process cannot be expressed by any BPA process. Fig. 2 on the other hand depicts 
an example of an (unnormed) process which is definable bofh as a BPA process and as 
a BPP process. 
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An equivalent formulation of BPP, and one which we adopt to aid in distinguishing 
between BPA and BPP processes, is as labelled Petri nets in which each transition 
has a unique input place. Formally, a labelled Petri net is a tuple J\f = (P, T, F, A, £) 
where P and T are hnite and disjoint sets of places and transitions, respectively, F : 
{PxT U TxP) — >■ IN is & flow function, A is a set of labels, and £ \ T — >■ A is a 
labelling. A marking is a function M : P — >■ IN which associates to each place a finite 
number of tokens. A transition t is enabled at a marking M if M (p) > F{p, f) for each 
place p. If t is enabled at M, it can be fired from M, producing a new marking M' 
defined by M'{p) = M{p) — F{p, f) + F{t,p). This is written as M A- M'. To every 
labelled Petri net Af we associate a transition system where the set of states is the set of 
all markings, A is the set of all labels, and M A M' iff there is transition t such that 
£{t) = a and M A M'. 

Petri nets are often depicted as graphs with two kinds of nodes (corresponding to 
places and transitions) where the flow function is indicated by (multiple) arcs between 
places and transitions. A BPP net is a Petri net where for every t G T there is exactly 
one place Pre{t) such that F{Pre{t),t) = 1 and F{p, t) = 0 for every other place p. 
The equivalence of these BPP nets to BPP is easily seen from the Petri net presented in 
Figs. 1 and 2. 

We shall find the following Petri net concepts useful. 

Definition 6. For a set Q of places of a Petri net, we define norm(Q)(M) to be the 
length of a shortest sequence of transitions from M which leaves all of the places of Q 
empty: 

norm((5)(M) = \m\].{^dist{M,M') : M'{p) = f ) for every p G QY 

We may readily observe that for every set Q of places, norm(Q) is a norm in the sense of 
Definition 3. In the case of BPP nets, norm(Q) (M) is just a weighted sum of tokens in 
M ; that is, to each place p we can effectively associate some Cp G IN^ (which depends 
only on Q) so that norm(Q)(M) = X^peP ‘ ^(p) every marking M. 

Definition 7. A set Q of places of a Petri net is called a trap iff for all transitions t we 
have that ifJ2peQ ^) > 0 then XpsQ > 0. 

Thus a “marked” trap, that is, a trap containing at least one token, can never become 
unmarked. This then implies that for any trap Q, norm(Q)(M) is either 0 or oj. 

We can note that 0 is a trap, and that the union of traps is again a trap. This justifies 
the following dehnition. 

Definition 8. maxtrap((5) denotes the maximal trap contained in the set of places Q. 
Finally, we shall have cause to consider the following class of one-counter automata. 

Definition 9. A one-counter automaton with resets ( OCR) is a tuple P = Z, S) 

where Q is a finite set of control states, A is a finite input alphabet, / and Z are counter 
symbols and S is a finite set of rules which are of one of the following three forms: 

— pZ A ql^Z where p,q G Q, a G A, and k G IN; these rules are called zero rules. 
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— pi ql^ where p,q € Q, a € A, and k G IN; these rules are called positive rules. 

— pi qZ where p,q G Q and a G A; these rules are called resets. 

Hence, Z acts as a bottom symbol (which cannot be removed), and the number of /’s 
which are stored in the stack above the topmost occurrence of Z represents the counter 
value. The reset (i.e., setting the counter back to zero) is implemented by pushing the 
symbol Z onto the stack. 

To the OCR V we associate the transition system S-p where Q x {/, Z}* is the set 
of states, A is the set of actions, and the transition relation is determined by 

pXa A qPa iff pX A- qP G S. 



3 Prefix-Encoded Norms over BPA 

In this section we demonstrate that large values of DD-functions are represented by large 
(normed) prefixes of BPA states. This will provide a necessary condition for when a BPP 
process can be bisimilar to a BPA process. 

Definition 10. We define the pseudo-norm (or prefix-norm) pn{a) of a BPA process a 
as follows: 

pn{a) = max { |/3| : a = /37 and |/3| < w }. 

We call the transition XP ^P a pn-reducing step ;j^|7| = [Xj — 1 < to. 

Note that pn is not a norm in the sense of Definition 3, and that a step XP ^P such 
that pn(^P) = pn{XP) — 1 is not necessarily pn-reducing. 

Definition 11. We say that a norm d is prefix-encoded /or a given BPA process G iff 
there is a constant (7 G IN such that for every process aofG with G < d{a) < uj, the 
d-reducing steps from a are exactly the pn-reducing steps from a. In this case, we say 
that d is prefix-encoded above G. 

Given a BPA process, we define the value maxstep as the maximal value \P\ — \X\ 
where AT A /) is a rule with \P\ < u. For any norm d we easily observe the following. 

Proposition 12. 

(a) d{aP) < |q;| + d{P) . 

(b) Ifd{aP) < |a| + d{P) then a — >■* a' with d{a'P) = 0. 

(c) If d is prefix-encoded above G and d{aP) > |a| -f (7 then d{aP) = |a| -f d{P) ; 
and if a — >■ a' with \a'\ < co then d{aP) — 1 < d{a'P) < d{ap) -f maxstep. 

(d) Ifd{Xa) < Lo and there is a transitionfromX a which is d-reducing or pn-reducing 
but not both, then there is a maximal sequence A'a A /) of d-reducing transitions 
such that A" — >■ 7 with 7 e; this implies that Xa ^ ya and d{ya) = 0 . 



Lemma 13. For any BPA process, each DD-function is prefix-encoded. 
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Proof. We assume a given BPA process, and show the claim by contradiction. We first 
define some technical notions. For a DD-function d, we say that two states «i and are 
(d, C)-dijf-large (for C G IN) iff for each d' G {d} U V{d) such that d'{ai) d'{a2) 
we have the following inequalities: 

C < d'{ai) < uj\ 

C < d'{a2) < io\ and \d' {a2) — d' {a\)\ > C . 

We say that the states a\ and a2 are d-bad iff for some 7 ^ e: 

0 = d{ja\) < d{ja2) or 
0 = d{ja2) < d{jai). 

Claim 7 . If d is not prefix-encoded, then for any C G IN there are states and 0:2 which 

are {d, C')-diff-large and d-bad. 

Proof of Claim 1 . If d is not prefix-encoded, then there is a sequence of states 
/ 3 i, /?2, /Ss, ■ • ■ with d(/ 3 i) < d(/72) < d{f}f) < ■ • • such that each j 3 i can make a 
step which is d-reducing or pn-reducing but not both. 

Using the pigeonhole principle, we can assume (i.e., extract a subsequence) 
(i\ = Xa\, P2 = Xot2, P3 = Xa3, ... for a variable X (obviously |X| < w). 
We can furthermore assume (by repeated subsequence extractions) that for each 
d' G {d} U I?(d) we have either d'(ai) = d'{a2) = dfa^) = • • • , or else 
d'(o;i) < d'{a2) < d'{a3) < ■ ■ ■ . 

Hence, for any given C there are i < j such that and aj are (d, C)-diff-large. 
From Proposition 12 (d), and the fact that d{Xai) < d{Xaj), we easily derive that 
ai and aj are d-bad. (□) 

We now let d be a non-prefix-encoded DD-function on a minimal level. Choose C G IN 
so that: 

- each d' G D(d) is prefix-encoded above {C — Zq), where zq is the maximum of the 
finite components of changes in C(d); 

- C > MAXSTEP; and 

- C > d'{( 3 ) whenever d' G D(d) and W — >• /7 with d'(/ 3 ) < ui = \f)\. 

We take di G {d} U D(d) on a minimal level such that we can choose ai and «2 

which are (di, C)-diff-large and di-bad (as guaranteed by Claim 1 ). Assume that 0 = 
di(7ai) < di(7o;2)- If d'{'ja2) = oj for some d' G V{di), then d'{a2) = OJ = d'{ai). 
Since d'{jai) < cj, there is some f) such that 0 = d'{( 3 ai) < d'(/3a2); but this means 
that «i and «2 are d'-bad, which contradicts the level-minimality of di. 

Thus for some d' G D(di) and z being a component of a change in C(d) there is a 
step 7 — >■ 7' such that 

d'(7o;i) -I- z ^ d'(7'o;i) and d'(7«2) + 2 = d'(7'«2) ■ ( 1 ) 

Claim 2 . There is ^ such that d'(^ai) d'{^a2), and either d'(^ai) < |^| -I- d'(ai) or 

d'{^a2) < ICI + d'(a2). 
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Proof of Claim 2 . Suppose that none of the 7 and 7' from Equation ( 1 ) satisfies 
the claim. Since we cannot have that I7I + d' {ax) + z f |7'| + d' {ax) and I7I + 
d' {0.2) + z = |7'| + d'{a2), it is sufficient to consider only the following cases: 

(a) d'{jax) = d'{"fa2) and d'{"f'ax) d'{'^'a2) ; 

(b) d'(7Q:i) d'{ja2) and d'{j'ax) = d'{'^'a2) ■ 

For case (a): d'(7'o;i) = |7'| + d'{ax) f |7'| + d'{a2) = d'{'f'a2) and d'{'yax) = 
d'{ja2) = d'(7'a2) — z(notethat2; < w). By Proposition 12 (c) we get that d'(7'ai) 
and d '{’ y ' a2 ) can differ by at most maxstep + 1, which is a contradiction. 

For case (b): d' (7a! ) = |7|+d'(o;i) |7| + d'(a2) = (('(702). Proposition 12 (c) 

implies that we cannot have dfj'ax) = d'{j'a2) unless the step 7 — > 7' is due to 
a rule X ^ P with |/ 3 | = uj. But C was chosen bigger than d'{P). (□) 

Finally we show that the existence of a (d', C) -diff-large pair ax and a2, together with 
a ^ satisfying Claim 2 contradicts the assumption that d' is prefix-encoded above C ; this 
will finish the proof of the Lemma. 

Without loss of generality, assume d'(^ai) < d'{^a2)- If d'(^ai) < |^| + d'{ax) 
then there is such that 0 = d'{^'ax) < d'(^' 0:2), meaning cri and 0:2 are d'-bad, which 
is a contradiction. 

It remains to consider d'(^ai) = |^| + d'{ax) < d'{^a2) < |^| + d'{a2)- Since 
necessarily d'{ax) < d'{a2), we have d'{^a2) > |CI + C, so by Proposition 12 (c), 
d' {^a2) = Id + '^^(0^2)5 which again is a contradiction. □ 

4 Bisimilarity Is Decidable on the Union of BPA and BPP 

In this section we show that we can decide whether a given BPP process Mq satisfies a 
necessary condition for being bisimilar to some unspecified BPA process. In the positive 
case we can (effectively) construct an OCR process which is bisimilar to Mg. So the 
decidability of the question whether Mg ~ ag (where ag is a BPA process) follows 
from the results of [ 17 , 22 ]. 

We first recall some useful results from [ 11 ] which clarify the “bisimilarity state 
space” for BPP processes; Firstly, by inspection of [ 11 ] we can confirm the following. 

Lemma 14 . For each BPP net Af we can effectively construct a sequence Qi , . . . , Qm 
of sets of places which are important in the sense that their norms capture bisimilarity: 

VM, M' : M ^ M' iff 'ii : NORM(Qi)(-^) = NORM(( 5 i)(-^ 0 - 

In fact, the collection of all NORM{Qi), 1 < i < m, is exactly the set of all DD-functions 
over the state-space ofAf. More precisely, for every DD-function d there is some Qt such 
that d{M) = NORM{Qi){M) for every marking M of Af. Conversely, to every Qi one 
can associate a DD-function di so that all elements ofD{df) are among the functions 
associated to Qx, ■ ■ ■ , Qi-x- 

We now explore further related technical notions. Let Afhea labelled Petri net with 
initial marking Mg. Given c G IN^,, we say that places p and g of Af are c-dependent 
(for Mg) if for every reachable marking M we have that if c < M{p) and c < M{q), 
then M{p) = M{q). Note that p and q are trivially w-dependent (for every Mg). The 
dependence level of p, q (for Mg) is the least c G IN;^ such thatp and q are c-dependent 
for Mg . 
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Lemma 15. Let Af be a Petri net, Mq a marking of Af, and p, q places of Af. The 
dependence level ofp, q for Mq is effectively computable. 

Proof The dependence level of p, q can be computed, e.g., by employing a slightly 
modified version of the algorithm for constructing the coverability tree for Mq [14], We 
briefly sketch the construction, emphasizing the difference from the standard algorithm. 

An extended marking is a function M : P ^ INi,;. All notions introduced for 
“ordinary” markings also apply to extended markings by employing the standard uj- 
conventions introduced in Sect. 2.1. The goal is to compute a finite tree where nodes are 
labelled by extended markings such that the dependence level of p,q for Mq can be “read” 
from the tree. It is also possible that the algorithm terminates earlier (without constructing 
the whole tree) and outputs ut. This happens if the part of the tree constructed so far 
exhibits a “pumpable” sequence of transitions witnessing the infinity of the dependence 
level. To simplify our notation, we introduce the following notion: Let n, n' be nodes of 
the tree labelled by M, M' such that n' is a descendant of n. We say that a place s is 
pumped at n' from n by k, where 0 < fc < w, iff M' > M and M'{s) — M{s) = k. 
Furthermore, s is pumpable at n' iff s is pumped at n' from some predecessor of n' by 
some (positive) value. 

Initially, we put Mq to be the (label of the) root of the tree. Then, for every node 
n labelled by M which has not yet been processed we do the following: If the tree 
contains a processed node with the same label, then the node n is immediately declared 
as processed. Otherwise, for every transition t which is enabled at M we do the following: 

- IfM(p) = M{q) = uiwAF{t,p) — F{p,t) ^ F(f, g) — f), then the algorithm 

halts and outputs w. Otherwise, a new successor n' of n with a temporary label M' 
(where M A M') is created. 

- We check whether the following two conditions hold for every predecessor n” of 
n' . If not, the algorithm halts and outputs lo. 

• If p is pumped at n' from n" by k, then M'{q) ^ lo and q is either not pumpable 
at n' , or it is pumped at n' from n" by the same k. 

• If g is pumped at n' from n" by k, then M' (p) ^ uj and p is either not pumpable 
at n' , or it is pumped at n' from n" by the same k. 

- If the algorithm does not terminate in the previous point, we redefine M'{r) = u> 
for every place r pumpable at n' . 

If the algorithm terminates by processing all nodes, it outputs the maximal finite value c 
for which there is a node n labelled by M in the constructed tree such that M{p) ^ M{q), 
and M{p) = cor M (g) = c. □ 

Now let Af he a BPP net with initial marking Mq, and let Q and Q' be important 
sets of places of Af. We say that Q and Q' are c-dependent for a given c G IN^^ if 
for every reachable marking M we have that if c < norm(Q)(M) < oj and c < 
norm(Q')(M) < to, then norm(Q)(M) = norm(Q')(-^)- The dependence level of 
Q, Q' is the least c G IN^j such that Q and Q' are c-dependent. 

Lemma 16. Let Q and Q' be important sets of places of a BPP net Af, and let Mq be a 
marking ofAf. The dependence level ofQ,Q' is effectively computable. 
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Proof. First we extend the net Af by two fresh places p and q. Then we remove all 
transitions which put a token to maxtrap(Q) or to maxtrap((5')> and modify the other 
transitions so that for every reachable marking M we have that norm((5)(M) = M{p) 
and norm((5')(M) = M{q) (i.e., we “count” norm((5) in p and norm(Q0 in q). This 
is easy because norm((5)(M) and norm((3')(M) are just weighted sums of tokens in 
M (cf. the remarks after Definition 6). Note that the resulting Petri net is not necessarily 
a BPP net. Initially, p and q contain norm((5)(Mo) and norm(Q')(Mo) tokens, respec- 
tively. Obviously, the dependence level of Q,Q' in Af equals to the dependence level of 
p, q in the modified net, and thus it is effectively computable by Lemma 15. □ 

The usefulness of the above explorations now becomes apparent. 

Lemma 17. Let Mq be a marking of a BPP net Af. If Q and Q' are important sets of 
places with dependence level uj, then Mq is not bisimilar to any BPA process. 

For example, the sets {P} and {Q} areimportant fortheBPPnet of Fig. 1; the associated 
DD-functions (referring to Lemma 14) are dda and ddb, respectively. As these sets have 
a dependence level of w, this Lemma demonstrates that there is no BPA process which 
is bisimilar to P. 

Proof. Let Qi, . . . , be the important sets of places associated to the BPP net Af, 
and let d\, . . . ,dm be the associated DD-functions in the sense of Lemma 14. Now 
suppose that there are important sets Q and Q' whose dependence level for Mq equals 
CO, and that there is a BPA process ao such that Mq ~ ao- By Lemma 13, di, . . . , dm 
are prefix-encoded on (any) BPA. Let 

C = m.ax{Cdi '■ f < i < m} 

where is the constant of Definition 1 1 chosen for di and the underlying BPA process 

of uq. We also let k be the number of places of Af. 

Since the dependence level of Q,Q' for Mq equals co, there is a reachable marking 
M such that 

C +k < norm(Q)(M) < UJ and C + k < norm(Q')(M) < co, 

and norm(Q)(AL) f norm((5')(M). Let d and f! be the DD-functions associated to Q 
and Q' , respectively. Since M is reachable, M ~ a for some a reachable from aQ. As 
DD-functions are bisimulation invariant, we get that 

C + k < d{M) = d{a) < uj and C + k < d'{M) = d'{a) < co . 

Due to the choice of C, we know that for every sequence of (at most) k transitions, if 
each transition is d-reducing then each is also c?' -reducing, and vice versa. 

Certainly Q Q' as otherwise we could not have norm((5)(M) f norm(Q')(M). 
Hence, there is some p G (Q\ Q') U ((5^\ Q). Suppose, e.g.,p G {Q\Q').lf M{p) > 1, 
we are done immediately, as then there is a d-reducing transition M A M' , where 
d = norm(Q), which takes the token away from p, and therefore it does not decrease 
norm(Q') = d' . The bisimilar BPA process a cannot match this transition. 
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If for every p G {Q\ Q') U {Q' \ Q) we have that M {p) = 0, we argue as follows: 
Let us assume that, e.g., norm{Q){M) < norm{Q'){M). Then there must be some 
q G Q D Q' such that M{q) > 1, and each sequence of d-reducing transitions, where 
d = norm(Q), which removes the token in q out of Q (that is, the total effect of 
the sequence on places in Q is that the token in q disappears) must temporarily mark 
some place p in Q' which is not in Q. Otherwise, we would immediately obtain that 
norm(Q')(M) < norm(Q)(M). Now we can change the order of these transitions so 
that p is marked after at most (A:— 1) d-reducing transitions. (Here we rely on a folklore 
result about BPP processes. Also note that any performable permutation of a sequence 
of d-reducing transitions also consists of d-reducing transitions). Now we can use the 
same argument as in the previous paragraph. □ 

Lemma 18. Let Mq be a marking of a BPP net Af. If for all important sets of places 
Q and Q' we have that the dependence level of Q, Q' is finite, then we can effectively 
construct an OCR process which is bisimilar to Mq. 

Proof Let Qi, , Qm be the important sets of places constructed for the BPP net Af, 
and let T = (di , . . . , dm) be the (tuple of the) associated DD-functions as in Lemma 14. 
Furthermore, let 

C = ma,x{dl{Qi, Qj) : 1 < i, j < m} 

where dl{Qi, Qj) is the dependence level of Qi, Qj. Note that C is effectively computa- 
ble due to Lemma 16. For every reachable marking M, all norms NORM((3i)(M) which 
are finite and larger than C keep to coincide. More precisely, if 

C < NORM((5i)(M) < uj and C < NORM(Qj)(M) < uj 

where 1 <i,j < m, then NORM{Qi){M) = NORM(Qj)(M). 

So we can construct an OCR V, with the initial state bisimilar to Mg, which mimics 
the behaviour of markings of Af in the following way: Instead of (the current marking) 
M, the OCR V records in the finite control state unit: 

- for which sets Qi the value NORM(Qi)(M) equals to (now and forever); 

- for which sets Qi the value NORM{Qi){M) is “small”, i.e., no greater than C; the 
precise values of these norms are also recorded in the finite control; and 

- for which sets Qi the value NORM(Qi)(AL) is larger than C. 

Since the values NORM(Qi)(M) in the last collection must be the same, i.e., equal to 
some V, V can record (v—C) in the counter. 

Note that the configuration of V associated to M does not contain the “full” in- 
formation about M in the sense that the exact distribution of tokens in M cannot be 
reconstructed from the recorded norms. It can happen that different markings M, M' 
have the property NORM(Qi)(M) = NORM(Qj)(M') forevery I <i< m, and then (and 
only then) they are represented by the same configuration of V. However, if M and M' 
coincide on every NORM(Qi), then (and only then) they are bisimllar — see Lemma 14. 

It remains to explain how V performs its transitions. First, for every marking M we 
define the set 



fire{M) = {(a, 5) : 3M A M' such that S^{M A M') = <5}. 
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Note that if M ~ M\ then fire{M) = fire{M'). Hence, for every conhguration pa of 
V we can define fire{pa) = fire{M) where M is a marking to which pa is associated. 
(If there is no such M, fire (pa) is undefined.) Next we show that for every pa for which 
fire{pa) is defined, the set fire{pa) is effectively computable just from the information 
stored in the control state p (hence, we can denote fire{pa) just by fire{p)). It clearly 
suffices for our purposes, because then we can compute the sets fire{q) for all control 
states q and “implement” each pair (a, 5) in a given fire{q) in the straightforward way; 
in particular, if all “large” norms are set to co, then the control state is updated and the 
counter is reset to zero. One can also readily verify that every marking M is bisimilar 
to its associated configuration of V. 

Let f be a transition of Af. In each marking M where t is enabled, the (firing of) t 
causes some change of T (i.e., of (norm((5i), • • • , NORM(Qm))); we define 

St{M) = S^{M A M'). 

In general, the same transition can cause different changes in different markings M, M. 
The (only) reason why this can happen is that some NORMjQi) which is finite for M can 
be to for M, and vice versa (note that if NORM(Qi)(M) = w, then St{M)i = w). So, 
St{M) is (completely and effectively) determined by the structure of Af and the mode 
of M, i.e., the set of all Qfis for which NORM((5i)(M) < uj. Hence, for a given a mode 
A4 (i.e., a subset of {Qi, • • • , Qm} whose norms are to be finite) we can effectively 
partition the transitions of Af into classes Ti , • • • , Tfc so that transitions in the same Ti 
have the same label and the same change at every marking with mode A4. Thus, to each 
Ti we can associate a pair (oj, <5^). Note that 

fire{M) C {(ai,5i),-- - ,(ofc,4)} 

for every marking M with mode A4. Now we show that for each Ti one can effectively 
construct an important set Qj^ such that for every marking M with mode A4 we have 
that 

{ai,5i) & fire{M) iff NORM(Qy,)(M) > 0. (2) 

Actually, it suffices to put 

Q.. = u Pre{t) U maxtrap(Q)- 

iGTi QeM 

Clearly, NORM((5jJ is a bisimulation-invariant norm; and it follows from the construc- 
tion of the important sets Qi, ■ ■ ■ , Qm presented in [11] that Qj. appears in the se- 
quence Qi, • • • , Qm- It remains to verify that Equation (2) indeed holds. So, let M be 
a marking with mode A4.\f {ai,6i) G fire{M), some of the transitions in Ti are en- 
abled at M, and hence NORM(QyJ(M) > 0. Conversely, if norm(Qj.)(M) > 0, the 
places of UgeAt maxtrap(Q) are surely not marked (otherwise, we would have that 
norm(Q)(M) = u for some Q in AT which is a contradiction). Hence, some Pre{t), 
where t G Ti, must be marked at M which means that t is enabled at M. 

Since control states of V carry the information about the current mode and currently 
positive NORM(Qi)’s, we are done. □ 
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The previous lemmata allow us to conclude the following: 

Theorem 19. Bisimilarity between BPA and BPP processes is decidable. 

Proof. We first check if there are important sets Q and Q' whose dependence level 
equals lo (this is decidable by Lemmas 14 and 16). If this is the case, then Mq cannot be 
bisimilar to any BPA process. Otherwise, we can effectively construct an OCR process 
pa which is bisimilar to Mq (Lemma 18). We can then check bisimilarity between pa 
and the given BPA process (using, e.g., the algorithm of [17,22]). □ 

As a final remark, we note that a more detailed analysis of the properties of BPP 
processes which are bisimilar to BPA processes would admit a refinement of the result of 
Lemma 1 8 : the OCR must be special in the sense that the first transition which increments 
the counter (since the last reset) “selects” the control state q to which the machine must 
switch by the first decrement operation. The only possibility of how to change q to some 
other state is to perform a reset. We conjecture that such a behaviour can be matched 
by an effectively constructible BPA process. This being the case, we could then use 
the bisimilarity-checking algorithm for BPA processes [4] instead of the one for PDA 
processes, which would yield an elementary upper complexity bound for bisimilarity 
between BPA and BPP. 
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Abstract. We consider the problem of parametric verification over a 
class of systems of processes competing for access to shared resources. 
We suppose the access to the resources to be controlled according to a 
FIFO-based policy with a possibility of distinguishing low-priority and 
high-priority resource requests. We propose a model of the concerned sy- 
stems based on extended automata with queues. Over this model, we ad- 
dress verification of properties expressed in LTL\X enriched with global 
process quantification and interpreted on finite as well as fair behaviours 
of the given systems. In addition, we examine parametric verification 
of process deadlockability too. By reducing the parametric verification 
problems to finite-state model checking, we establish several decidability 
results for different classes of the considered properties and systems (in- 
cluding the special case of systems with the pure FIFO resource manage- 
ment). Moreover, we show that parametric verification against formulae 
with local process quantification is undecidable in the given context. 



1 Introduction 

Managing concurrent access to shared resources is a fundamental problem that 
appears in many contexts, e.g., operating systems, multithreaded programs, con- 
trol software, etc. The critical properties to ensure are typically (1) mutual exclu- 
sion when exclusive access is required, (2) absence of starvation (a process that 
requires a resource will eventually get it), and (3) absence of deadlocks. Many 
different instances of this problem can be defined depending on the assumptions 
on the allowed actions for access to resources and the policies for managing the 
access to these resources. 

In this work, we consider systems with a finite number of resources shared 
by a set of identical processes. These processes can require a set of resources, 
get access and use the requested resources, and release the used resources. The 
requests can be of a low-priority or a high-priority level. The access to the 
resources is managed by a locker according to a FIFO-based policy taking into 
account the priorities of the requests, i.e. a waiting high-priority request can 
overtake waiting low-priority ones. As a special case allowing for an optimized 

* This work was supported in part by the European Commission (FET project AD- 
VANCE, contract No. IST-1999-29082). 



R. Amadio, D. Lugiez (Eds.): CONCUR 2003, LNCS 2761, pp. 174-190, 2003. 
© Springer- Verlag Berlin Heidelberg 2003 




Verification of Parametric Concurrent Systems 



175 



treatment, we then examine the situation when no high-priority requests are 
used, and the locker behaves according to the pure FIFO discipline. 

As mentioned later in related work, the above framework is, in particular, 
inspired by a need to verify the use of shared resources in some of Ericsson’s 
ATM switches. However, the operations for access to shared resources and the 
resource management policies used are quite natural in general in concurrent 
applications dealing with shared resources. 

Verification of the described systems can, of course, be carried out using 
finite-state model-checking if we fix the number of processes. However, a precise 
number of processes present in such a system in practice is usually not known 
in advance, and it is thus crucial to verify that the system behaves correctly for 
any number of them. This yields a parametric verification problem that is quite 
nontrivial as we have to deal with an infinite number of system instances. 

The aim of this paper is to study decidability of the described problem for 
a significant class of properties including the three most important ones given 
above. 

For an abstract description of the concerned systems, we define a model based 
on extended automata with queues recording the identities of the waiting pro- 
cesses for each resource. Then, we address the verification problem for families of 
such systems with an arbitrary number of processes (called RTR families — RTR 
stands for request-take-release) against formulae of the temporal logic LTL\X 
with global process quantification. We consider two interpretation domains for 
the logic: the set of finite behaviours (which is natural for safety properties), 
and the set of fair behaviours (in order to cover liveness properties). In addition, 
we consider the parametric verification problem of process deadlockability too. 

We adopt the approach of finding cut-off hounds to show that many inte- 
resting parametric verification problems in the given context can be reduced to 
finite-state model checking. This means that given a class of formulae, we prove 
that deciding whether all systems of a family satisfy a formula is equivalent to 
deciding whether some finite number of systems in the family (each of them 
having a fixed number of processes) satisfies this formula. 

When establishing our results, we consider the question whether it is possi- 
ble to find cut-off bounds that do not depend on the structure of the involved 
processes and the formula at hand, but only on the number of resources and the 
number of processes quantified in the formula. Indeed, these numbers are relati- 
vely small, especially in comparison to the size of process control automata. 

We show that for RTR families where the pure FIFO resource management is 
used (i.e. no high-priority access to resources is required), parametric verification 
of finite as well as fair behaviour is decidable against all LTL\X formulae with 
global process quantification. The cut-off bound in the finite behaviour case is 
the number of quantified processes, whereas it is this number plus the number of 
resources in the fair behaviour case. These bounds lead to practical finite-state 
verification. Furthermore, we show that the verification of process deadlockability 
is decidable too (where the bound is the number of resources). 

On the other hand, for the case of dealing with RTR families that distinguish 
low-priority and high-priority requests, we show that - unfortunately - gene- 
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ral, structure-independent cut-offs do not exist neither for the interpretation of 
the considered logic on finite nor fair behaviours. However, we show that even 
for such families, parametric verification of finite behaviour is decidable, e.g., 
against reachability /invariance formulae, and parametric verification of fair be- 
haviour is decidable against formulae with a single quantified process. In this 
way, we cover, e.g., verification of the (for the given application domain) key 
properties of mutual exclusion and absence of starvation. For the former case, 
we even obtain a structure-independent cut-off equal again to the number of 
quantified processes. For verification of fair behaviour against single process for- 
mulae, no general structure-independent cut-off can be found, but we provide 
a structure-dependent one, and in addition, we determine a significant subclass 
of RTR families where a structure-independent cut-off for this particular kind 
of properties does exist. Finally, we show that process deadlockability can be 
solved in the case of general RTR families via the same (structure-independent) 
cut-off as in the case of the families not using high-priority requests. 

Lastly, we show that although the queues in RTR families are not communi- 
cation queues, but just waiting queues, and the above decidability results may be 
established, the model is still quite powerful, and decidability may easily be lost 
when trying to deal with a bit more complex properties to verify. We illustrate 
this by proving that parametric finite-behaviour verification becomes undecida- 
hle (even for families not using high-priority requests) for LTL\X extended with 
the notion of local process quantification [8] allowing one to examine different 
processes in different encountered states. 

Related Work: There exist several approaches to the parametric verification 
problem. We can mention, for example, the use of symbolic model checking, (au- 
tomated) abstraction, or network invariants [10,1,3,14,11,12] . The idea of cut-offs 
has already been used in several contexts [9, 6, 7, 5] too. However, to the best of 
our knowledge, there is no work covering the class of parametric systems con- 
sidered here, i.e. parametric resource sharing systems with a prioritized FIFO 
resource management. The two involved obstacles (parameterization and having 
multiple queues over an unbounded domain of process identifiers) seem to com- 
plicate the use of any of the known methods. Using cut-offs appears to be the 
easiest approach here. 

The work [5] targets verification of systems with shared resources (and even 
employs cut-offs), but the system model and the employed proof techniques 
differ. The involved processes need not be identical, the number of resources is 
not bounded, but, on the other hand, only two fixed processes may compete for a 
given resource, and their requests are served in random order (there are no FIFO 
queues in [5]). Moreover, some of the properties to be verified we consider here 
are different from [5] (e.g., we deal with the more realistic notion of weak/strong 
fairness compared to the unconditional one used there, etc.). 

Finally, let us add that our work was originally motivated by [2] that concerns 
verification of the use of shared resources in Ericsson’s AXD 301 ATM switch. 
In [2] finite-state model checking is used to verify some isolated instances of the 
given parametric system. Then, in the concluding remarks, a need for a more 
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complete, parametric verification is mentioned, which is what our work is aiming 
at on the level of a general abstract model covering the given application domain. 

Outline: We first formalize the notion of RTR families and define the speci- 
fication logic we use. Then, we present our cut-off results for finite and fair 
behaviour and process deadlockability as well as the undecidability result. Due 
to space limitations, we provide proof ideas for some of the results only - the 
complete proofs can be found in [4]. 

2 RTR Families 

2.1 The Model of RTR Families 

Processes in systems of RTR families are controlled by RTR automata. An RTR 
automaton over a finite set of resources is a finite automaton with the following 
kinds of actions joint with transitions: skip (denoted by r - an abstract step 
not changing resource utilization), request and, when it is the turn, take a set 
of resources at the low- or high-priority level (rqt /prqt), and, finally, release a 
set of resources (rel). 

Let us, however, stress that we allow processes to block inside (p)rqt transiti- 
ons^ while waiting for the requested resources to be available for them. Therefore, 
a single (p)rqt transition in a model semantically corresponds to two transitions, 
which we denote as (p)req (request a set of resources) and (p)take (start using 
the requested resources when enabled to do so by the locking policy). 

Definition 1. An RTR automaton is a 4^-tuple A = (R,Q,qo,T) where R is 
a set of resources, Q is a set of control locations, qo € Q is an initial control 
location, and TCQxAxQ is a transition relation over the set of actions 
A = {r} U {a{R') \ a G {rqt, prqt, rel} A R' 9 A R' Q R}. The sets R, Q, T, 
and A are nonempty, finite, pairwise disjoint, and disjoint with N. 

An RTR family T{A) over an RTR automaton A is a set of systems Sn 
consisting of n > 1 identical processes controlled by A and identified by elements 
of Pn = (1, ...,n|. (In the following, if no confusion is possible, we usually drop 
the reference to A.) We denote as RTR\P families the special cases of RTR 
families whose control automata contain no high-priority request actions. 



2.2 Configurations 

For the rest of the section, let us suppose working with an arbitrary fixed RTR 
family T over an automaton A = (R, Q, qo, T) and with a system G T . 

To make the semantics of RTR families reflect the fact that processes may 
block in (p)rqt actions, we extend the set Q of “explicit” control locations to Qt 
containing a unique internal control location qt for each transition t G T based on 
a (p)rqt action. Furthermore, let Tt be the set obtained from T by preserving all 

^ We use (p)rqt when addressing both rqt as well as prqt transitions. 
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r and rel transitions and splitting each transition t = (gi, (p)rqt(i?'), 52) G T 
to two transitions ti = {qi, (p)req(i?'), and t2 = {qt, (p)'take(i?'), <72)- 

We define the resource queue alphabet of S'„ as = {s(p) | s G {r, pr, g, u}A 
p G Pn\- The meaning is that a process has requested a resource in the low- or 
high-priority way, it has been granted the resource, or it is already using the 
resource. A configuration c of is then a function c : {Pn — >■ Qt) U (i? — >■ Ef) 
that assigns the current control locations to processes and the current content 
of queues of requests to resources. Let C„ be the set of all such configurations. 



2.3 Resource Granting and Transition Firing 

We now introduce the locker function A implementing the considered FIFO 
resource management policy with low- and high-priority requests. This function 
is to be applied over configurations changed by adding/removing some requests 
to/from some queues in order to grant all the requests that can be granted wrt. 
the given strategy in the given situation. Note that in the case of RTR\P families, 
the resource management policy can be considered the pure FIFO policy. 

A high-priority request is granted iff none of the needed resources is in use 
by or granted to any process, nor it is subject to any sooner raised, but not yet 
granted, high-priority request. A low-priority request is granted iff the needed 
resources are not in use nor granted and they are not subject to any sooner 
raised request nor any later raised high-priority request that can be granted at 
the given moment. (High-priority requests that currently cannot be granted do 
not block sooner raised low-priority requests.) Formally, for c G (7„, we define 
yl(c) to be a configuration of G„ equal to c up to the following for each r £ R: 

1. If c(r) = wi.'pt{p).W2 for some p G P„, wi,W2 G Ef s.t. c(p) = qt for a 
certain t = (qi, prqt(R'), (72) G T and for all r' £ R', c{r') = w'i.pr{p).W2 
with w[ G {r(p') | p' £ P„}* and G A"*, we set yl(c)(r) to g{p).Wi.W2- 

2. If c(r) = r{p).w for some p £ P„, w £ E* such that c(p) = qt for a certain 
t = (<7i, rqt(i?'), (72) G T and for all r' G R' , c{r') = r(p).w' with w' G E’f, 
and the premise of case 1 is not satisfied for r', we set A{c){r) to g{p).w. 

We define enabling and firing of transitions in processes of Sn via a predicate 
en C X T( X and a function to : Cn x Tt x Pn ^ Cn- 

For all transitions t = ((7i,r, (72) G Tt and t = (gi, a(i?'), (72) £ Tt, a £ 
{rel, req, preq}, we define en{c,t,p) c(p) = <71. For each transition t = 
{qi, (p)take(i?'), (72) G Tt, we define en{c,t,p) <tA c{p) = q\ f\^r £ R' G 27* : 
c(r) = g(p).w. Intuitively, a transition is enabled in some process if the process 
is at the source control location of the transition and, in the case of (p)take, if 
the appropriate request has been granted. 

Firing of a transition t = ((7i,r, (72) G Tt simply changes the control location 
mapping of p from qi to (72, i.e. to{c,t,p) = (c\ |(p, gi)}) U {{p,q2)}. 

Firing of a (p)req transition t corresponds to registering the request in the 
queues of all the involved resources and going to the internal waiting location 
of t. The locker is applied to (if possible) immediately grant the request. For 
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f = (gi, (p)req( i?'), (72) G T(, we define fo(c, = yl((c \ c ) U c+) where c = 
{{P,qi)} U {(r,c(r)) I r G i?'} and c+ = {(75,92)} U |(r, c(r).(p)r(p)) | r G R'}. 

For a transition t = (91, (p)take(i?'), 92) G Tj, we simply change all the 
appropriate g queue items to u items and finish the concerned (p)rqt transition, 
i.e. to(c, t,p) = (c\c“) Uc+ with c~ as in the case of (p)req and C+ = |(p, 92)} U 
{(r,u{p).w) I r G -R' A c(r) = g{p).w}. 

Finally, a rel transition removes the head u items from the queues of the 
given resources provided they are owned by the given process. The locker is 
applied to grant all the requests that may become unblocked. Formally, for t = 
(91, rel(R'), 92) G Tt, we fix to{c,t,p) = vl((c\ c“) U c+) with c~ = |(p, 91)} U 
{(r, c(r)) I r G R' A dru G if* : c(r) = Ti{p).w} and c+ = |(p, 92)} U {{r,w) \ r G 
R' Aw G S* A c(r) = u(p).w|. 

2.4 Behaviour of Systems of RTR Families 

Let Sn be a system of an RTR family T . We define the initial configuration 
Co of Sn to be such that \/p G Pn ■ cq(p) = Qq and Vr G R : co(r) = e. 
By a finite behaviour of Sn starting from ci G Cn, we understand a sequence 
ci(pi, ti)c2...(pi, such that for each i G {1,...,/}, en{ci,ti,pi) holds, and 
Ci+i = to{ci,ti,pi). If Cl is the initial configuration cq, we may drop a reference 
to it and speak simply about a finite behaviour of Sn- The notion of infinite 
behaviours of Sn can be defined in an analogous way. A complete behaviour is 
then either infinite or such that it cannot be extended any more. 

We say a complete behaviour is weakly (process) fair iff each process that is 
eventually always enabled to fire some transitions, always eventually fires some 
transitions. We may call a complete behaviour strongly (process) fair iff each 
process that is always eventually enabled to fire some transitions, always even- 
tually fires some transitions. However, we do not deal with strong fairness in the 
following as in our model, the notions of strong and weak fairness coincide: Due 
to the separation of requesting resources and starting to use them and the im- 
possibility of cancelling issued grants of resources, a process cannot temporarily 
have no enabled transitions without firing anything. 

For a behaviour /3„ = ci(pi, ti)c2(p2, of a system Sn of an RTR family 
R, we call the configuration sequence 7r„ = C1C2... a path of Sn corresponding to 
( 3 n and the transition firing sequence = (pi, fi)(p2, t2)--- a run of Sn correspon- 
ding to ( 3 n- If the behaviour is not important, we do not mention it. We denote 
RA”, nl™ C Cn, the set of all finite paths of and R™-^ C C+ U C“, 
the set of all paths of Sn corresponding to complete, weakly fair behaviours. 

3 The Specification Logic 

In this work, we concentrate (with the exception of process deadlockability) 
on verification of process-oriented, linear-time properties of systems of RTR fa- 
milies. For specifying the properties, we use the below described extension of 
LTL\X, which we denote as MPTL (i.e. temporal logic of many processes). We 
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exclude the next-time operator from our framework because it sometimes al- 
lows a certain kind of counting of processes, which is undesirable when trying to 
limit/reduce the number of processes to be considered in verification. 

We extend LTL\X by global process quantification in a way inspired by ICTL* 
(see, e.g., [8]) and allowing us to easily reason over systems composed of a pa- 
rametric number of identical processes. We also allow for an explicit distinction 
whether a property should hold for all paths or for at least one path out of a 
given set. Therefore, we introduce a single top-level path quantifier to our for- 
mulae. We restrict quantification in the following way: (1) We implicitly require 
all variables to always refer to distinct processes. (2) We allow only uniformly 
universal (or uniformly existential) process and path quantification. 

Finally, we limit atomic formulae to testing the current control locations 
of processes. We allow for referring to the internal control locations of request 
transitions too, which corresponds to asking whether a process has requested 
some resources, but has not become their user yet. 



3.1 The Syntax of MPTL 

Let PV, PV n N = 0, be a set of process variables. We first define the syntax 
of MPTL path subformulae, which we build from atomic formulae at{p, q) using 
boolean connectives and the until operator. For V C PV and p G V, we have: 

(p{V) ::= at{p,q) \ ^q}{V) \ ip{V) V ip{V) \ (p{V) U (p{V) 

As syntactical sugar, we can then introduce in the usual way formulae like tt, 
ff, ‘p{V) A ‘piV), Uip{y), or <>p{V). 

Subsequently, we define the syntax of universal and existential MPTL for- 
mulae, which extend MPTL path subformulae by process and path quantifica- 
tion used in a uniformly universal or existential way. For V C PV , we have 
<Pa ■■■■= VP : A p(V) and <Pe ::= 3P : E p(V). 

In the rest of the paper, we commonly specify sets of quantified variables by 
listing their elements in some chosen order. Using MPTL formulae, we can then 
express, for example, mutual exclusion as \/pi,p 2 ■ A □ ->{at{pi,cs) A at{p 2 ,cs)) 
or absence of starvation as Vp : A □ {at{p,req) O at{p,use)). 

3.2 The Formal Semantics of MPTL 

Suppose working with a set of process variables PV. As we require process 
quantifiers to always speak about distinct processes, we call a function Vn : 
PV -G- P„ a, valuation of PV iff it is an injection. 

Suppose further that we have a system of an RTR family T . Let 7r„ S 
C* U Cf denote a (finite or infinite) path of S'„. For a finite (or infinite) path 
7T„ = ciC 2 ...C|,r„| (tTh = ciC 2 ...), let denote the suffix CiCi+i...C|^„l {cici+i...) of 
7T„, respectively. (For a finite 7r„ with |7r„| <1, tt\, = e.) Given a path 7r„ of S'„ 
and a valuation Vn of PV , we inductively define the semantics of MPTL path 
subformulae p{V) as follows: 
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- 7t„, Un h q) iff 7 t„ = c.tt^ and c{vn{p)) = q. 

- 1= ^p{V) iff ^ p{V). 

- 7T„, Vn h Pl(y) V P2{V) iff 7T„, Vn h Or 7T„, ^ (/?2(V^)- 

~ 7t„, 1= </3i(^) U P 2 {V) iff there is I > 1 such that ttJj, Vn |= <P 2 {V) and for 

each k, 1 < k < I, h 

As for any given behaviour /3„ of 5'„, there is a unique path 7 t„ corresponding 
to it, we will also sometimes say in the following that /3„ satisfies or unsatisfies 
a formula meaning that 7 t„ satisfies or unsatisfies p. We will call the processes 
assigned to some process variables by Vn as processes visible in 7 t„ via Vn- 

Next, let 7T„ C (7*11(7“ denote any set of paths of S'„. (Later we concentrate 
on sets of paths corresponding to all finite or fair behaviours.) We define the 
semantics of MPTL universal and existential formulae as follows: 

- Un ^ W : Aip{V) iff for all valuations Vn of PV and all 7 t„ G Un, 7t„, Vn h 
ip{V). 

- Un h : E(p{V) iff TTmVn ^ <p{y) for some PV valuation Vn and some 

G n^i. 



3.3 Evaluating MPTL over Systems and Families 

Let Sn be a system of an RTR family T . Given a universal or existential MPTL 
formula we say the finite behaviour of 5'„ satisfies which we denote by 
Sn h /m iff nl™ 1= holds. We say the weakly fair behaviour of Sn satisfies 
which we denote by Sn \=wf iff |= holds. 

Next, we introduce a notion of MPTL formulae satisfaction over RTR fa- 
milies, in which we allow for specifying the minimum size of the systems to be 
considered.^ We go on with the chosen uniformity of quantification and for a uni- 
versal MPTL formula an RTR family P, and a lower bound I on the number 
of processes to be considered, we define P, I H/m ^a. to hold iff Sn |= fin holds 
for all systems Sn & P with I < n. Dually, for an existential MPTL formula <Pe, 
we define P, I H/in to hold iff S'„ \= fin holds for some system Sn & P 

with at least I processes. The same notions of MPTL formulae satisfaction over 
families can be introduced for weakly fair behaviour too. 

4 Verification of Finite Behavionr 

As we have already indicated, one of the problems we examine in this paper is 
verification of finite behaviour of systems of RTR families against correctness 
requirements expressed in MPTL. In particular, we concentrate on the parame- 
tric finite -behaviour verification problem of checking whether P, I H/in holds 
for a certain RTR family P, a universal MPTL formula <l>a, and a lower bound I 

^ Specifying the minimum size allows one to exclude possibly special behaviours of 
small systems. Fixing the maximum size would lead to finite-state verification. Alt- 
hough our results could still be used to simplify such verification, we do not discuss 
this case here. 
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on the number of processes to be considered. The problem of checking whether 
T , I \=fin holds for a certain existential MPTL formula <Pe is dual, and we 
will not cover it explicitly in the following. 

4.1 A Cut-Off Result for RTR\P Families 

We first examine the parametric finite-behaviour verification problem for the 
case of RTR\P families. Let ‘Pa = ■ A ip{pi, ...,pk) be a universal 

MPTL formula with k globally quantified process variables. We show that for any 
RTR\P family T, the problem of checking I H/m be reduced to simple 

finite-state examination of the system St & T with k processes. At the same time, 
the processes to be monitored viapi, ...,pk may be fixed to 1, ..., A:. We denote the 
resulting verification problem as checking whether Sk \=fin A (p{l,...,k) holds. 
Consequently, we can say that, e.g., to verify mutual exclusion in an RTR\P 
family T, it suffices to verify it for processes 1 and 2 in the system of T with 
only these two processes. 

Below, we first give a basic cut-off lemma and then we generalize it 
to the above. 

Lemma 1. For an RTR\P family T and an MPTL path formula p{pi, ...,pk), 
the following holds for systems of T: 

VtT ^ k Sn \^fin Vpi, ..., Pk ' A ..., Pk) Sk \^fin A 9^(1, ..., A^) 

Proof. (Sketch) (=J>) We convert a counterexample behaviour of Sk to one of 
Sn by adding some processes and letting them idle at qo- (<J=) To reduce a 
counterexample behaviour of 5'„ to one of Sk, we remove the invisible processes 
and the transitions fired by them (these processes only restrict the behaviour of 
others by blocking some resources) and we permute the processes to make 1, ...,k 
visible (all processes are initially equal and their names are not significant). □ 

Lemma 1 and properties of MPTL now easily yield the above promised result. 

Theorem 1. Let T he an RTR\P family and letPa = Vpi, ■■■,Pk '■ A p{pi, ...jPk) 
be an MPTL formula. Then, checking whether T , I |=yj„ Pa holds is equal to 
checking whether Sk \=fin A ip(l , ..., k) holds. 

4.2 Inexistence of Structure-Independent Cut-Offs for RTR 
Families 

Unfortunately, as we prove below, for families with prioritized resource manage- 
ment, the same reduction as above cannot be achieved even when we allow the 
bound to also depend on the number of available resources and fix the minimum 
considered number of processes to one. 

Theorem 2. For MPTL formulae Pa with k process variables and RTR fami- 
lies T with m resources, the parametric finite-behaviour verification problem of 
checking whether T , 1 H/m holds is not, in general, decidable by examining 
just the systems Si,...,Sn € T with n being a function of k and/or m only. 
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1 .req(A) 

1 .take(A) 

3.req(A,B) 

2.preq(B) 

2.ptake(B) 





Fig. 1. A scenario problematic for the application of cut-offs (the run from the left is 
visualized on the RTR automaton and the appropriate resource queues) 



Proof. (Idea) In the given framework, we can check whether in some system of 
the RTR family T based on the automaton from Fig. 1, some process can 
request A,B before some process P 2 requests B, but the wish of P 2 is granted before 
that of pi- As shown in Fig. 1, the above happens in Sn & with n > 3, but not 
in S '2 G IF (the overtaking between visible processes 2 and 3 is impossible without 
invisible process 1). Moreover, when we start extending the B and AB branches by 
more and more pairs of the appropriate (p)rqt /rel actions without extending 
the A branch, we exclude more than one process to run in these branches via 
adding rqt(C)/rel(C) (rqt(D)/rel(D)) at their beginnings and ends, and we ask 
whether pi and p 2 can exhibit more and more overtaking, we will need more and 
more auxiliary processes in the A branch although k and m will not change. □ 

Despite the above result, there is still some hope that the parametric finite- 
behaviour verification problem for RTR and MPTL can be reduced to finite-state 
model checking. Then, however, the bound on the number of processes would 
have to also reflect the structure of the RTR automaton of the given family 
and/or the structure of the formula being examined. We leave the problem in its 
general form open for future research. Instead, we show below that for certain 
important subclasses of MPTL, the number of processes to be considered in 
parametric finite-behaviour verification can be fixed to the number of process 
variables in the formula at hand as in the RTR\P case (although the underlying 
proof construction is more complex). In this way, we cover, among others, mutual 
exclusion as one of the key properties of the considered class of systems. 

4.3 Cut-Offs for Subclasses of MPTL 

The first subclass of MPTL formulae we consider is the class of invariance and 
reachability formulae of the form Wa ::= VP : A UifiV) and >Fe ::= 3V : E Oi/(P) 
in which ip{V) is a boolean combination of atomic formulae at{p,q). Mutual 
exclusion is an example of a property that falls into this class. 

Let Ea = Vpi,...,pfc : A □■i/(pi, ...,pfc) be an arbitrary invariance MPTL 
formula with k quantified process variables. We show that for any RTR family 
E, the parametric problem of checking E, I |=/m '^a can be reduced to the finite- 
state problem of verifying Sk \=fin A □^’(1, k) with the number of processes 
fixed to k and the processes to be monitored via pi, ...,pk fixed to 1, ..., k. As 
above, we first state a basic cut-off lemma, which we subsequently generalize. 
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Lemma 2. For any RTR family T and any nontemporal MPTL path formula 
ifipi, ■■■,Pk), the following holds for systems of if: 

'dn ^ k ! Sji |=/m Pk ■ ^ ■■■5 Pk^ 4 =^ Sk \^fin ^ •■•7 

Proof. (Sketch) We modify the proof of Lemma 1: In the (4=) case, to resolve the 
problem with possibly disallowed overtaking among visible processes that could 
be enabled only due to some invisible processes blocking some low-priority visible 
ones (cf. Fig. 1), we postpone firing of (p)req transitions to be just before firing 
of the corresponding (p)take transitions (or at the very end). Then, since the 
preserved visible processes release resources as before and do not block them by 
requests till all originally overtaking requests are served, it can be shown the fira- 
bility of the reduced transition sequence is guaranteed. Moreover, the behaviour 
is modified in a way invisible for a reachability formula (negation of Of;). □ 



Theorem 3. Let T be an RTR family and let = Vpi, ...,Pk ■ A □■0(pi, ...,Pk) 
be an invariance MPTL formula. Then, checking whether T , I H/m holds is 
equal to checking whether Sk \=fin A □^/>(1, ..., fc) holds. 

Another subclass of MPTL that can be handled within parametric finite- 
behaviour verification of RTR in the same way as above is the class of formulae 
in which we allow any of the MPTL operators to be used, but we exclude di- 
stinguishing whether a process is at a location from which it can request some 
resources or whether it has already requested them. Using such formulae, we 
can, for example, check whether some overtaking among the involved processes 
is possible or excluded (though not on the level of particular requests). Due to 
space limitations, we skip a precise formulation of this result here and refer an 
interested reader to the full version of the paper [4] . 



5 Verification of Fair Behaviour 

We next discuss verification of fair behaviour of systems of RTR families against 
correctness requirements expressed in MPTL. The results presented in this sec- 
tion can be applied for verification of liveness properties, such as absence of star- 
vation, of systems of RTR families. As for finite-behaviour verification, we consi- 
der the problem of parametric verification of weakly fair behaviour, i.e. checking 
whether T , I |=“ ^ T>a holds for an RTR family !F, a universal MPTL formula 
<Pa, and a lower bound I on the number of processes. 

We show first that under the pure FIFO resource management, considering 
up to m -|- fc processes - with m being the number of resources and k the number 
of visible processes - suffices for parametric verification of weakly fair behaviour 
against any MPTL formulae. By contrast, for prioritized resource management, 
we prove that (as for finite behaviour verification) there does not exist any ge- 
neral, structure-independent cut-off that would allow us to reduce parametric 
verification of weakly fair behaviour to finite-state verification. Moreover, we 
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show that, unfortunately, the inexistence of a structure-independent cut-off con- 
cerns, among others, also verification of the very important property of absence 
of starvation. Thus, for the needs of parametric verification of fair behaviour, we 
subsequently examine in more detail the possibility only sketched in the previous 
section, i.e. trying to find a cut-off reflecting the structure of the appropriate RTR 
automaton and/or the structure of the formula. 

5.1 A Cut-Off Result for RTR\P Families 

Let T be an RTR\P family with m resources and = Vpi, ...,Pfc : A (p(pi, ■■■,Pk) 
a universal MPTL formula with k process variables. We show that the parametric 
verification problem of weakly fair behaviour for T and can be reduced to a 
series of finite-state verification tasks in which we do not have to examine any 
systems of T with more than m + k processes. The processes to be monitored via 
Pi,...,Pk may again be fixed to l,...,k. We denote the thus arising finite-state 
verification tasks as checking whether Sn \=wf A p{l , ..., k) holds. 

As in Sect. 4, we now first state a basic cut-off lemma and then we generalize 
it. However, the way we establish the cut-off turns out to be significantly more 
complex, because lifting a counterexample behaviour from a small system to a 
big one is now much more involved than previously. To ensure weak process 
fairness, newly added processes must be allowed to fire some transitions, but at 
the same time, this cannot influence the behaviour of the visible processes. 

Lemma 3. For systems of an RTR\P family T with m resources and an MPTL 
path formula p{pi, ...,pk), the following holds: 

\/n>m + k-.Sn \=wf Vpi, ...,pk : A ip{pi, ...,pk) ^ Sm+k \=wf A ...,k) 

Proof. (Idea) (<^=) Similar to Lemma 1. To eventually forever block in Sm+k the 
visible processes that forever block in S'„, we need at most one invisible process 
per resource. (=^>) To extend a counterexample behaviour fdm+k of Sm+k to one of 
Sn, we distinguish three cases: (1) If all original processes deadlock in j3m+k, the 
newly added ones can deadlock too. (2) If all processes run in (im+k, at least one 
process may be shown to eventually not use any resource or always eventually 
release all of them. The new processes can mimic its behaviour. As they regularly 
do not block any resources, we may interleave them in the non-blocking phases 
with each other and with the original processes (without influencing the visible 
ones). (3) The case when some processes get blocked and some run forever in 
(im+k may be split to subcases solvable like (1) or (2). □ 

Now, the theorem generalizing the lemma can be easily obtained by exploiting 
properties of MPTL. Note, however, that unlike in Theorems 1 and 3, it leads to 
a necessity of examining several systems, which is due to the difference between 
the cut-off bound m+k and the number k of visible processes. 

Theorem 4. Let T be an RTR\P family with m resources and let <Fa = 
\/pi,...,Pk '■ A Lp{pi,...,Pk) be an MPTL formula. Then, checking whether 
IF, I ‘^a holds is equal to checking whether S„ \=wf A (p{l,...,k) holds 

for all systems S„ € IF such that min{max{l, k),m + k) < n < m + k. 
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We show in [4] that examining the systems Sk (if I < k) and Sm+k is necessary 
for the above result. The question of a potential optimization of the result by 
not having to examine all the systems between max (I, k) and m + k remains 
open for the future, but this does not seem to be a real obstacle to practical 
applicability of the result. 

5.2 Absence of Structure-Independent Cut-Offs for RTR Families 

In verification of weakly fair behaviour of RTR families against MPTL formulae, 
we examine complete, usually infinite behaviours of systems of the considered 
families. However, to be able to examine such behaviours, we need to examine 
their finite prefixes as well. Then, Theorem 2 immediately shows that there does 
not exist any structure independent cut-off allowing us to reduce the given ge- 
neral problem to finite-state verification. Moreover, for the case of verifying fair 
behaviour of RTR families against MPTL formulae, no structure-independent 
cut-offs exist even for more restricted scenarios than in finite behaviour veri- 
fication. Namely, the query used in the proof of Theorem 2 speaks about two 
processes. However, below, we give a theorem showing that for the case of pa- 
rametric verification of weakly fair behaviour, no structure-independent cut-off 
exists even for single-process MPTL formulae, i.e. formulae having a single pro- 
cess variable and thus speaking about a single visible process. In particular, 
such a cut-off does not exist for a single-process formula encoding absence of 
starvation. The theorem is proven in [4] by giving an example family. 

Theorem 5. For RTR families T with m resources and the property of absence 
of starvation expressed asT>a=^p '■ AU {at{p, req) O at{p, use)), the problem 
of checking whether T, 1 |=“ j <L>a holds is not, in general, decidable by examining 
just the systems Si , ..., Sn € if with n being a function of m only. 

5.3 A Cut-Off for Single-Process MPTL Formulae 

There is no simple cut-off for verification of weakly fair behaviours of RTR 
families against single-process MPTL formulae since a lot of invisible processes 
requesting resources with high priority may be needed to block a visible process. 
Their number depends on the structure of the control automaton. However, this 
number can be bounded as shown in this section. 

To give the bound we need some definitions. Let IF (A) be an RTR family with 
m resources. The set of control locations Qt of A is split into two disjoint parts: 
Qo (all internal control locations and those where processes own at least one 
resource, without loss of generality a process owns always the same resources at a 
given control location) and (the others). Let F = \Qn\ (F > 1 as contains 
the initial location qo) , C = \2^° \ = 2l'^°l and Me = ■ Then, we can define 

the needed bound as By^ = C'Mc(Mc’-I-1)(2FC'(Mc-|-1))^-|-2C'(Mc-I-1)-I-2to-|-1. 

The key cut-off lemma below shows that if a formula is true in systems having 
between m -I- 1 and Byr processes, it is also true in systems with more than Byr 
processes. This and Lemma 5 stating the opposite allows us to reduce the para- 
metric verification problem to verification of systems with up to Byr processes. 
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Lemma 4. Let T be an RTR family with m resources and (p{p) an MPTL path 
formula. Then the following holds for systems of if: 

^n> Bj^ : (Vn', m+ 1 <n' <Bj^ : Sn> \=wf Vp : A p{p)) ^ Sn \=wf Vp : A (p(p) 

Proof. (Idea) The full proof is very involved. It is based on the fact that the 
exact identity of invisible processes is not important, only their number is. The 
problem of finding the bound can then be seen as finding a bounded solution 
of a linear equation system encoding properties of admissible counterexamples, 
which is possible with a lemma from Linear Integer Programming [13]. □ 

We now give the counterpart to Lemma 4 whose proof is similar to the proof 
of the appropriate direction of Lemma 3. 

Lemma 5. Let T be an RTR family and p{p) an MPTL path formula. Then, for 
systems of IF, we have: Vn' > m + 1, n > n' : \=wf A ip{l) Sn' \=wf'^P ■ 

A <p(p). 

We use Lemmas 4 and 5 to give the complete cut-off result for single-process 
MPTL formulae and weakly fair behaviour of systems of RTR families. 

Theorem 6. Let T be an RTR family with m resources and let <La = 'ip : 
A p{p) be a single-process MPTL formula. Then, checking T ,l \='^f is equal 
to checking Sn \=wf A (p{\) for all Sn € if with I < n < m 1 or n = By^. 

5.4 Simple RTR Families 

Above, we have shown that parametric verification of weakly fair behaviour of 
RTR families against single-process MPTL formulae is decidable, but no really 
simple reduction to finite-state verification is possible in general. We now give a 
restricted subclass of RTR families for which the problem can be solved using a 
structure-independent cut-off bound. 

An RTR family T is simple if the set of control locations contains only the 
initial location qq: Processes start from it by requesting some resources (possibly 
in different ways) and then they may request further resources as well as release 
some. However, as soon as they release all of their resources, they go back to qg. 
This class is not unrealistic; it corresponds to systems with a single resource- 
independent computational part surrounded by actions using resources. For this 
class we show an improved cut-off bound using 2m 2 processes, which is better 
than Byr for F = 1. This is basically due to the fact that only m invisible 
processes can be simultaneously in control locations Qo- 

Theorem 7. Let T be a simple RTR family with m resources and let <Pa =ip : 
A ip{p) be a single-process MPTL formula. Then, checking T,l \='f,f'Ta is equal 
to checking Sn \=wf A (p{\) for all Sn & iP with I < n < m -\- 1 or n = 2m + 2. 

Notice that an invisible process can freely move among all locations in a 
subcomponent Q' of A which is strongly connected by r-transitions. Therefore, 
Theorem 7 can be generalized to families whose corresponds to such a com- 
ponent. Moreover, the same idea can be used to optimize the general Byr bound. 
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6 Process Deadlockability 

Given an RTR family T and a system € T , we say that a process p is 
deadlocked in a configuration c G (7„ if there is no configuration reachable from 
c from which we could fire some transition in p. As is common for linear-time 
frameworks, process deadlockability cannot be expressed in MPTL, and so since 
it is an important property to check for the class of systems we consider, we now 
provide a specialized (structure-independent) cut-off result for dealing with it. 

Theorem 8. Let T be an RTR family with m resources. For any I, the systems 
Sn € if with I < n are free of process deadlock iff Smax{m, 2 ) G ^ is. 

Proof. (Sketch) We can encounter scenarios where a group of processes is mu- 
tually deadlocked due to some circular dependencies in queues of requests, but 
also situations where a process is deadlocked due to being always inevitably over- 
taken by processes that keep running and do not even own any resource forever. 
However, when we (partially) replace overtaking by postponed firing of requests 
(cf. Lemma 2), push blocked high-priority requests before the low-priority ones 
(the former block the latter, but not conversely), and preserve only the running 
processes that never release all resources simultaneously, we can show that we 
suffice with one (primary) blocked and/or blocking process per resource. □ 

Let us note that the possibility of inevitable overtaking examined in the 
proof of Theorem 8 as a possible source of process deadlocks in systems of RTR 
families is stronger than starvation. Starvation arises already when there is a 
single behaviour in which some process is eventually always being overtaken. 
Interestingly, as we have shown, inevitable overtaking is much easier to handle 
than starvation, and we obtain a cut-off bound that cannot be improved even 
when we restrict ourselves to RTR\P families with no overtaking. 

7 RTR Families and Undecidability 

Finally, we discuss an extension of MPTL by local process quantification [8] where 
processes to be monitored in a behaviour are not fixed at the beginning, but may 
be chosen independently in each encountered state. Local process quantification 
can be added to MPTL by allowing VP' : ip{V U V) to be used in a path for- 
mula v?(F) with the semantics 7r„, Vn \= VP' : (p{V U P') iff 7 t„, \= <p(P U P') 

holds for all valuations v'^ of PV such that Vp G PV \ V : v'n{p) = i'n{p)- 
Such a quantification can be used to express, e.g., the global response property 
An((3pi : at{pi,req)) 0(3p2 : od{P 2 ,‘resp))), which cannot be encoded with 
global process quantifiers if the number of processes is not known. Unfortuna- 
tely, it can be shown that parametric verification of linear-time finite-behaviour 
properties with local process quantification is undecidable even for RTR\P. 

Theorem 9. The parametric finite-behaviour verification problem of checking 
P, 1 for an RTR\P family T and an MPTL formula 'Pa with local pro- 

cess quantification is undecidable even when the only temporal operators used are 
□ and <> and no temporal operator is in the scope of any local process quantifier. 
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Proof. (Idea) The proof is done via simulating two-stack push-down automata 
and is very complex because the queues we work with are not classical commu- 
nication queues, but only waiting queues. □ 



8 Conclusions 

In this paper, we have defined an abstract model for a significant class of pa- 
rametric systems of processes competing for access to shared resources under a 
FIFO resource management with a possibility of distinguishing low- and high- 
priority requests. The primitives capturing the interaction between processes 
and resources and the resource management policies considered are natural and 
inspired by real-life applications. We have established cut-off bounds showing 
that many practical parametric verification problems (including verification of 
mutual exclusion, absence of starvation, and process deadlockability) are decida- 
ble in this context. The way the obtained results were established is sometimes 
technically highly involved, which is due to the fact that the considered model 
is quite powerful and (as we have also shown) positive decidability can easily be 
lost if verification of a bit more complex properties is considered. 

The structure-independent cut-offs we have presented in the paper are small 
and - for verification of finite behaviour and process deadlockability - optimal. 
They provide us with practical decision procedures for the concerned parametric 
verification problems and, moreover, they can also be used to simplify finite-state 
verification for systems with a given large number of processes. 

The structure-dependent cut-off for single-process formulae and verifying the 
fair behaviour of the general RTR families is quite big and does not yield a really 
practical decision procedure. One challenging problem is now to optimize this 
bound. Although we know that no general structure-independent cut-off exists, 
the bound we have provided is not optimal, and significantly improved cut-offs 
could be found especially for particular classes of systems as we have already 
shown for simple RTR families. 

Another interesting issue is to improve the decidability bounds. For general 
RTR families and arbitrary MPTL formulae, decidability of parametric verifica- 
tion of finite as well as fair behaviour remains open. So far, we have only shown 
that these problems cannot be handled via structure-independent cut-offs. Con- 
versely, the question of existence of practically interesting, decidable fragments 
of MPTL with local process quantification is worth examining too. If no (or no 
small) cut-off can be found, we could then try to find some adequate abstraction 
and/or symbolic verification techniques. 

Finally, several extensions or variants of the framework can be considered. 
For example, the questions of nonexclusive access to resources or nonblocking 
requests can be examined. Moreover, several other locker policies can be consi- 
dered, e.g., service in random order or a policy where any blocked process can 
be overtaken. We believe the results presented here and the reasoning used to 
establish them provide (to a certain degree) a basis for examining such questions. 
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Abstract. The term Input/Output Automata refers to a family of sy- 
stem modeling frameworks based on interacting infinite-state machines. 
The models come in several flavors, based on which features (fairness, 
time, continuous behavior, probability, etc.) they can express. In each of 
these frameworks, automata can be composed in parallel to form more 
complex automata, and automata can be related using levels of abstrac- 
tion. Properties of automata can be proved by hand or with the assistance 
of theorem-proving programs. 

The first framework of this kind, which appeared in 1987, was the ba- 
sic fair asynchronous I/O automata modeling framework of Lynch and 
Tuttle. It was used originally to describe and analyze a simple network re- 
source allocation algorithm at multiple levels of abstraction. Since then, 
I/O automata have been used extensively to model distributed algo- 
rithms and distributed systems, and even to prove impossibility results. 
For example, they have been used for algorithms that implement ato- 
mic shared memory and for systems that provide group communication 
services. 

Next came the “timed I/O automata” framework of Lynch and Vaand- 
rager, which augmented the “unfair” portion of the basic model with 
time-passage steps. Timed I/O automata have been used to describe a 
variety of timing-based algorithms, including timeout-based failure de- 
tectors and consensus algorithms, communication protocols, and clock 
synchronization algorithms. They have also been used to analyze perfor- 
mance of many algorithms and systems. 

A more recent development was the “hybrid I/O automata” framework, 
which supports modeling and analysis of hybrid discrete/continuous sy- 
stems. The main addition here is a set of trajectories, which can be used 
to describe the evolution of system state over intervals of time. Hybrid 
I/O automata have been used for many case studies, ranging from simple 
toy examples of vehicles on tracks to complex helicopter control applica- 
tions. 

“Probabilistic I/O automata”, defined by Segala in 1995, allow proba- 
bilistic choice of the next state, in addition to nondeterministic choice. 
They have been used for describing and analyzing randomized distribu- 
ted algorithms and security protocols. Finally, “dynamic I/O automata” 
were introduced recently by Attie; they add, to the basic “unfair” mo- 
del, the capability for processes to create other processes and to destroy 
themselves. 
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In this CONCUR talk, I will define the various I/O automata modeling 
frameworks in some detail, will survey some of the ways in which they 
have been used, and will describe current research and open problems. 
Our current research includes re- formulating timed I/O automata as a 
restricted version of hybrid I/O automata, and expressing a large set of 
results about timed systems as theorems about the resulting framework. 
We are also working on developing the probabilistic I/O automata mo- 
del further, emphasizing compositionality results. In the longer run, we 
would like to have a combined model that includes both probabilistic and 
hybrid continuous/discrete behavior. In fact, eventually, we would like to 
have a comprehensive I/O-automata-style modeling framework that can 
express all of the features described above - fairness, time, continuous 
behavior, probabilistic behavior, and dynamic behavior - but that can be 
specialized appropriately when only some of these features are needed. 

This talk is based on work by many people, notably Mark Tuttle, Frits 
Vaandrager, Roberto Segala, Paul Attie, and Dilsun Kirli Kaynar. 
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Abstract. We present a process-algebraic language for Probabilistic 
I/O Automata (PIOA). To ensure that PIOA specifications given in our 
language satisfy the “input-enabled” property, which requires that all 
input actions be enabled in every state of a PIOA, we augment the lan- 
guage with a set of type inference rules. We also equip our language 
with a formal operational semantics defined by a set of transition rules. 
We present a number of results whose thrust is to establish that the ty- 
ping and transition rules are sensible and interact properly. The central 
connection between types and transition systems is that if a term is well- 
typed, then in fact the associated transition system is input-enabled. We 
also consider two notions of equivalence for our language, weighted bi- 
simulation equivalence and PIOA behavioral equivalence. We show that 
both equivalences are substitutive with respect to the operators of the 
language, and note that weighted bisimulation equivalence is a strict re- 
finement of behavioral equivalence. 

Keywords: stochastic process algebras; typing systems and algorithms; 
process equivalences; continuous-time Markov chains 



1 Introduction 

In previous work [WSS94,WSS97] we introduced probabilistic I/O automata 
(PIOA) as a formal model for systems that exhibit concurrent and probabilistic 
behavior. PIOA extend the well-known I/O automaton model for nondetermini- 
stic computation [LT87] with two kinds of performance information: probability 
distributions representing the relative likelihood with which transitions from a 
given state labeled by the same input are performed; and rate information de- 
scribing how long, on average, the automaton will remain in a state before taking 
a particular output or internal transition. 

* This research was supported in part by the National Science Foundation under Grant 
CCR-9988155 and the Army Research Office under Grants DAAD190110003 and 
DAAD190110019. Any opinions, findings, and conclusions or recommendations ex- 
pressed in this material are those of the author(s) and do not necessarily reflect 
the views of the National Science Foundation, the Army Research Office, or other 
sponsors. 
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PIOA are similar in many respects to stochastic automata [Buc99,PA91], 
and like stochastic automata, PIOA are associated with continuous-time Mar- 
kov chains (CTMCs). PIOA are also equipped with a composition operation by 
which a complex automaton can be constructed from simpler components. Both 
PIOA and stochastic automata can thus be seen as a formalism for describing 
large CTMC system models from simpler components. The composition opera- 
tion for PIOA is defined in essentially the same way as for stochastic automata, 
however, the PIOA model draws a distinction between input (passive) and output 
(active) actions, and in forming the composition of automata only input/input 
or input/output synchronization is permitted — the output /output case is pro- 
hibited. 

In [SS98] we presented algorithms for calculating certain kinds of perfor- 
mance parameters for systems modeled in terms of PIOA. These algorithms 
work in a compositional fashion; that is, by treating the components of a com- 
posite system in succession rather than all at once. Our implementation of these 
algorithms, called “PIOATool,” has been integrated into the Concurrency Work- 
bench [CPS93] (CWB), as described in [ZCS03]. The CWB provides several 
analysis capabilities for specifications expressed in process-algebraic language, 
including equivalence, preorder, and model checking. It has a retargetable front 
end that allows it to be applied to virtually any process-algebraic language ha- 
ving a formal semantics defined in the “structural operational semantics” (SOS) 
style. To achieve the PIOATool/CWB integration, it was necessary for us to de- 
sign such a process-algebraic language for PIOA-based specifications, together 
with an SOS semantics for the language. This language, and associated theorems 
about its semantics, form the subject of the present paper. 

The PIOA model exhibits certain features that differentiate it from other 
languages previously supported by the CWB. One such feature is the fact that 
each transition of a PIOA, besides being labeled by an action, is also labeled 
by a numeric weight, which can be either a probability (in the case of an input 
transition) or a rate (in the case of an output or internal transition). Another 
such feature is the so-called “input-enabled” property, which requires that all 
input actions be enabled in every state of a PIOA. It is the second of these 
features that has the most impact on the design of a process-algebraic language 
for PIOA, since it is necessary to ensure that the input-enabled property holds 
for every well-formed specification in the language. The problem is that process- 
algebraic specifications of desired input-enabled transition systems usually have 
to be built up from component specifications that are not input-enabled. 

To solve the problem of guaranteeing that PIOA specifications given in our 
language satisfy the input-enabled property, we augment the language with a set 
of type inference rules. These rules define a set of inferable typing judgements of 
the form t : I/J ^ O. Such a judgement asserts that for term t, J is a set of 
actions for which input transitions are guaranteed to be enabled at the first step 
oft, J is a set of actions for which input transitions are guaranteed to be enabled 
at all steps of t after the first, and O is a set of actions that includes at least 
all the outputs that may be produced by t (but which may be larger). A closed 
term t is called well-typed if there is some typing judgement that is inferable for 
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it. Besides enforcing input-enabledness, types are used to enforce compatibility 
conditions for parallel composition and they also appear as hypotheses in some 
of the transition rules of the language’s operational semantics. 

We present a number of results whose thrust is to establish that the typing 
and transition rules are sensible and interact properly, including a principal 
type theorem, a connection between the types that can be inferred for a term 
and the transitions that can be inferred for it, and a subject reduction theorem 
which establishes that well-typedness is preserved across transitions. The central 
connection between types and transition systems is that if a term is well-typed, 
then in fact the associated transition system is input-enabled. 

We also define two notions of equivalence for our language, weighted bisimu- 
lation equivalence and PIOA behavioral equivalence, and investigate their pro- 
perties. In particular, we observe that weighted bisimulation equivalence strictly 
refines behavioral equivalence (a detailed proof can be found in [Sta03]) and that 
both equivalences are substitutive with respect to the operators of the PIOA lan- 
guage. 

The rest of the paper develops along the following lines. Section 2 surveys 
some related work by other researchers. Section 3 defines the syntax of our PIOA 
language. Section 4 presents the language’s type-inference rules and transition 
rules. Section 5 gives metatheoretic results that connect the typing and transi- 
tion rules. Section 6 defines the two notions of equivalence and establishes that 
they are substitutive. Section 7 contains our concluding remarks. Due to space 
limitations, all proofs are omitted. 

2 Related Work 

Formal languages for specifying (non-probabilistic) I/O automata have pre- 
viously been proposed by several researchers. The process-algebraic languages 
presented in [Vaa91,DNS95] ensure input-enabledness by filling in “default tran- 
sitions” for missing input transitions. In the case of [Vaa9I], the default transi- 
tions are “self- loop” input transitions taken from a term to itself. In [DNS95], 
the default transitions lead to the “unspecified I/O automaton” ils- In contrast, 
we have found in writing actual specifications that sometimes one wants default 
transitions that are self-loops and sometimes one wants default transitions that 
go to an error state. An automatic mechanism for filling in defaults is likely to 
get it wrong a significant fraction of the time, resulting in a specification lan- 
guage that is less transparent to the user. Thus, our language does not make 
any attempt to fill in default transitions, but rather it employs a notion of well- 
typedness of terms which guarantees that all well-typed terms are input-enabled. 

Another language for describing I/O automata is the lOA language of [GLOO] . 
lOA uses guarded-command-like “transition definitions” consisting of precondi- 
tions and effects to encode I/O automata. It also provides constructs for nonde- 
terministic choice, composition, and action hiding. Automatic code generation 
from lOA specifications is also supported. 

A number of process algebras capturing performance-related aspects of sy- 
stem behavior have been proposed in the literature; see [HH02] for a comprehen- 
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sive survey. Among these, EMPA [BDG98] is perhaps most closely related to our 
PIOA process algebra as it makes an I/O-like master-slave distinction between 
“active” and “passive” actions. Active and passive actions can synchronize, with 
the rate of the synchronization determined by the rate of the passive action, 
while synchronization between active actions is disallowed. Hillston [Hil94] gives 
a thoughtful discussion of the issues surrounding synchronization in stochastic 
processes, including the role of passive and active actions. The issue has also 
been treated more recently by Brinksma and Hermanns [BHOl]. 

3 Syntax 

Let Act be a set of actions, and let Var be a set of variables. We use a, 6, c ... to 
range over Act and we use X,Y, Z . . . to range over Var. Our language has the 
following syntax: 

P ::= X I nil | a(„,) ? t | 6(^) ! t | T(r)-t \ 

ti+t 2 I hoA\o 2 h \ t[0] I t{a^a'} \ ^iX.t 

The informal meaning of the various constructs is as follows: 

— A is a process variable, used in forming recursive processes. 

— nil denotes a process with no actions and no transitions. 

— 0 („,) ? t denotes an input-prefixed process that can perform input action a G 
Act with weight w and then become the process t. The weight w must be a 
positive real number, and it is typically a probability. 

— &(r) ! t denotes an output-prefixed process that can perform output action 
b G Act with rate r and then become process denoted by t. The rate r 
must be a positive real number, which (as usual for CTMC-based models) 
we regard as the parameter of an exponential probability distribution that 
describes the length of time before term ! t will perform a transition. 

— T(r) • t denotes an internal-prefixed process that can perform an internal tran- 
sition with rate r and then become the process denoted by t. Here t is a 
special symbol, not in Act, used to indicate an internal transition. The rate 
r must be a positive real number, as for output prefixing. 

— ti -\- t 2 denotes a choice between alternatives offered by ti and ^ 2 - Choi- 
ces between summands prefixed by distinct input actions are determined by 
the environment, and amount to a form of external nondeterminism. Choi- 
ces between summands prefixed by the same input action are probabilistic 
choices governed by the relative weights appearing in the prefixes. Choices 
between summands prefixed by output or internal actions are probabilistic 
choices governed by the usual race condition involving the rates appearing in 
the prefixes. Choices between input-prefixed summands and summands pre- 
fixed by output or internal actions are ultimately resolved by a race between 
the process and its environment. 

^ C Oi II O 2 ^2 denotes a process that is the parallel composition of the processes 
denoted by C and ^ 2 - The sets 0\ and O 2 are the sets of output actions 
controlled by t\ and t 2 , respectively. These sets are required to be disjoint. 
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— t [O] denotes a term t in which all output transitions labeled by actions not 
in the set O have been hidden by transforming them into internal transitions. 

— t{e^e'} denotes the renaming of action e to e! in t. The typing rules pre- 
sented below will ensure that action e' is a fresh action that is not already 
an input or output action for t. 

— iiX.t denotes a recursively defined process in the usual way. The recursion 
variable X is required to be be guarded by input, output, or internal prefixing 
in the expression t. 

4 Semantics 

4.1 Types 

Our language is equipped with a set of inference rules for inferring typing judge- 
ments, which take the form t : I/J ^ O where I, J, and O are sets of actions. 
The intuitive meaning of such judgements was described in Sect. 1. We use the 
abbreviation 1^0 for the special case I/I ^ O in which the sets / and J are 
equal. A closed term t is well-typed if some typing judgement can be inferred for 
it. 

The type-inference rules, given in Fig. 1, are expressed in a natural-deduction 
style. Each rule is to be applied in the context of a set A of assumptions about 
the types of the free variables appearing in the terms, where each assumption in 
A has the form X : I /J ^ O. Rules other than the recursion rule are applicable 
if under assumptions A the judgements in the premises can be inferred, and in 
that case the judgement in the conclusion can also be inferred under the same 
assumptions A. The rule for recursion is slightly different, in that in order to 
establish the premise one is permitted to add to the set A an additional assump- 
tion about the recursive variable X. This additional assumption is discharged 
by the rule, so that the conclusion is inferable under assumptions A without the 
additional assumption on X. Since the set A is the same in the premises and 
conclusion of each rule except the rule for recursion, to avoid clutter, we have 
not explicitly indicated the set A in each case. 

In the sequel, we will use the notation A t : (j> to assert that there is 
an inference of the judgement t : </> from the set of hypotheses A. We will use 
\- t : (j) to assert that a typing judgement t : 4> is inferable from the empty set of 
assumptions. Note that this is only possible if t is closed. 

It is worth pointing out that the type-inference rules do not uniquely associate 
a type with each well-typed term. The simplest case of this is the rule for nil, 
which permits any judgment of the form nil : 0 O to be inferred. However, 
as we will show later, if a closed term t is well-typed, then in fact there is a 
uniquely determined set / and a smallest set O such that a judgment t : I ^ O 
is inferable. 

4.2 Transitions 

The transition rules for the PIOA language are used to infer transitions of one 

q^‘7 ^ 

of the following three types: t — A u, t — A u, or t — >• u. The first of these 
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t : I ^ O a £ I t : I ^ O b ^ I t \ I ^ O 

a(^)l t ■. {a} / 1 ^ O 6(^) ! t : 0/7 ^ O U {6} T{^ryt\%/I^O 



ti : h/J ^ Oi 72 : h/J ^ O2 0[ 72 : 72 ^ O 2 O'l ^ Oi 02^ O2 

7i + 72 : 7i U I2/ J ^ Oi U O 2 7i Oi H 02 72 : (7i U 72)\(Oi U O2) ^ Oi LI O2 



t : I ^ O a £ I a' ^ lUO t : I ^ O b' ^ I U O 

t{a£- a'} : (7\{a}) U {a'} O t{b£- b'} : I ^ (0\{b}) U {6'} 

0 C O' nil : 0 ^ O X -.1^0 h t-.I^O 
7 [O] : 7 ^ O ’ liX.7 -.1^0 



Fig. 1. Type-inference rules 



denotes an input transition having associated action a and weight w. The second 
denotes an output transition having associated action b and rate r. The third 
denotes an internal transition having associated rate r. Both weights w and 
rates r are required to be positive real numbers, however we regard weights 
w as dimensionless quantities (such as probabilities) and we regard rates as 
dimensional quantities with units of 1/time. The full set of transition rules is 
given in Fig. 2. 

There are several points to be noted about the transition rules. In the rules 
for a parallel composition t\ 0 JI 02 ^ 2 , an input transition for component 7i can 
occur either independently, if the associated action a is in neither the input 
set I 2 of 72 nor the set O 2 of outputs declared to be controlled by 72, or as a 
synchronized input transition, if a is in both I\ and I 2 , or else as a synchronized 
output transition, if a is in I\ and O 2 . Synchronization in a parallel composition 
results in multiplication of the values that label the transitions. However, note 
that the rules only call for the multiplication of two weights, or the multiplication 
of a weight and a rate, but never the multiplication of two rates. This is consistent 
with our view of weights as dimensionless quantities {e.g. probabilities) and with 
rates as quantities with dimensions of 1/time. 

In a parallel composition 7i Oi II 02 ^2 the syntax declares explicitly the sets Oi 
and O 2 of outputs that are to be controlled by 7i and 72, respectively. The sets 
of outputs and O 2 that 7i and 72 can actually produce may be smaller. The 
reason for this is because as 7i and 72 evolve, the sets of outputs that they are 
capable of actually producing may diminish, though in a parallel composition 
they still exert control over “lost” output actions by inhibiting their occurrence 
as inputs in other components. 




A Process- Algebraic Language for Probabilistic I/O Automata 



199 






^(w) ^ I 
^ t' 



D{r) 



!t 



T(^) • t 



t2 



tl -f t2 



t' 



tl t2 
tl 



t' 

t' 



tl t' 



tl + t2 -S' t' 

r 

t2 t' 



t2 -S t’ 



tl -b t2 



tl+t2^ t' 

r 

tl ^ t'l t 2 ' I2 ^ O2 Ct ^ -^2 U O2 

w 

tl 0 \ II02 ^2 tl II02 ^2 



tl-\-t2^ t' 

r 

ti-.h^O'i a^hyjOi t2^ t '2 

w 

tl 0± II 02 ^2 tl II 02 ^2 



tl ^ t'l t2 ^ t'2 

wi W 2 

tl Oi II02 ^2 tl Oi W02 ^2 

W 1 W 2 



tl 



t'l t2 ’■ I 2 ^ 0'2 b ^ I 2 



tl Oi II02 ^2 — ^ Oi II02 ^2 



: /i => Oi b ^ Ii t2 — 

r 

tl Oi II02 ^2 — A tl Oi II02 ^2 



tl 



t'l t2 



tl 



t'l t2 



t'n 



tl Oi II 02 ^2 
tl 



t'l Oi II O 2 ^2 

t'l 



tl Oi II O 2 fa 

t2 



^1 Oi II O2 ^2 

t '2 



tl Oi W 02 t2 ^ tl W 02 fa 



tl Oi II 02 fa t tl II 02 ^2 



t' 



t - 



t' h £ O t 



t' b^O 



t 



t[0] 



t' [O] ^ [O] 

t^t' 



' t' [O] 



t [O] ^ t' [O] t [O] 

r 

t t' a ^ e 



t' [O] 



t{a <— a'} t'{a <— a'} 



t -S t' 



t{e<— e'} 
t' b e 



t'{e^e'} 

t ^ t' 



t{b ^b'} -S t'{b <- 6'} t{e e'} — > t'{e e'} f{e <- e'} — t'{e£- e'} 



t[/iA.t/X] ^ t' t[^A.t/A] 



t[^iX.t/X] ^ t' 



liX.t t' 



fiX.t 



iJLX.t ^ t' 



Fig. 2. Transition rules 
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5 Metatheory 

In this section, we present a number of results targeted at showing that the 
typing and transition rules presented in the previous section are sensible and 
interact properly. In particular, we have the following: 

~ A principal type theorem (Theorem 1). 

— A connection between the types that can be inferred for a term and the 
transitions that can be inferred for it. (Theorems 2 and 3). 

— A subject reduction theorem (Theorem 4): well-typedness is preserved across 
inferable transitions. 



5.1 Principal Types 

Our first result in this section states that inferable types have disjoint sets of 
inputs and outputs, and that the set of inputs available on the first transition is 
contained in the set of inputs available on subsequent transitions. 

Lemma 1. Suppose \~ t : I/J ^ O. Then I C J and J C\0 = %. 

It is tempting to think that ifht://J=4>0, then h t : I / J O' for all 

O' ^ O such that J 0 O' = 0. However this result does not hold for our type 
system. As a trivial example, if t is the term “nil [0]”, then although h t : 0 0, 

we do not have h t : 0 O for any nonempty O. 

Theorem 1 (Principal Type Theorem). If \- t ■. I/J O for some I, J, 
and O, then there exists O such that \~ t : I/J ^ O, and such that whenever 
h t : I' / J' O' then /' = J, J' = J, and O' O O. 

For a given closed, well-typed term t, define the principal type of t to be the 
type 1/ J ^ O given by Theorem 1. Let Proc/,o denote the set of all well-typed 
closed terms t having principal type I O' for some O' C O. 

5.2 Types and Transitions 

We next establish connections between the types inferable for a term and the 
transitions inferable for that term. In particular, if a judgement t : // J O is 
inferable, then / is precisely the set of actions a for which a transition of the form 
t t' is inferable, and O contains all actions b for which a transition of the form 

W 

t t' is inferable. Moreover, well-typedness is preserved across transitions, 

r 

although inferable types are not preserved exactly due to the possibility that 
the capacity of producing a particular output action can be lost as a result of 
taking a transition. 

A term t such that t : I/J ^ O is called input-enabled if for all actions e G / 
some transition of the form t — A t is inferable. 
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Theorem 2 (Input Enabledness Theorem). Suppose t : I/J ^ O. Then 
for all actions e, e € I if and only if a transition of the form t t' is inferable. 

W 

Theorem 3. Suppose t : I/J => O. Then for all actions e, if a transition of the 
form t t' is inferable, then e € O. 

r 

Theorem 4 (Subject Reduction Theorem). Suppose \~ t : I/J ^ O. If for 

some term t' a transition of the form t t' , t t' , or t — ^ t' is inferable, 

w r r 

then h t' : J / J O' for some O' C O. In particular, Proc/_o is closed under 

transitions. 



5.3 Total Transition Weight/Rate 



For given terms t and t' and action e, the transition inference rules may yield zero 
or more distinct inferences of transitions of one of the forms: t t' , t t' , 

w r 



or t — ^ t' , where w and r vary depending on the specific inference. However, 

r 

it is a consequence of the requirement that all recursive variables be guarded 
by a prefixing operation that there can be only finitely many such inferences. 
We write 1 t' to assert that w is the sum of all the weights Wi appearing in 

W 



distinct inferences of transitions of the form t 



t'. We call such an expression 

Wi 



a total transition. Since there are only finitely many such inferences, the sum w 
is finite. In case there are no inferable transitions t — A t we write 1 1 — A t . For 



Wi 



0 



output and internal transitions, the notations t 




r 



t' and t 




t' are defined 



similarly. 

A related notation will also be useful. Suppose t and t' are closed terms in 
Proc/^o- Then for all e G Act U {t} define Af{t,t') as follows: 



1. If e G /, then A//{t,t') is the unique weight w for which 1 1 — A t'. 

W 

2. If e G O, then A//{t,t') is the unique rate r for which 1 t' . 

r 

3. If e = T, then A//{t,t') is the unique rate r for which 1 1 — ^ t' . 

4. If e ^ / U O U {r} then A// (t, t) = 1 and Af ft, t') = 0 if P yf t. 

The derivative of term t by action e is the mapping A'//t : Proc/_o [0, oo) 
defined so that the relation {A'//t){t') = A//{t,t') holds identically for all terms 
t'. If S' is a set of terms, then we use A//{t,S) or {A//t){S) to denote the sum 
t'), which is finite. 

Note that the reason why we retain the superscripted O in the A// notation 
is because the terms t and t' do not uniquely determine the set O, therefore 
whether clause (2) or (4) in the definition applies for a given action e depends 
on the set O. 

Define the class of input-stochastic terms to be the largest subset of Proc/^o 
such that if t is input-stochastic then the following conditions hold: 




202 



E.W. Stark, R. Cleaveland, and S.A. Smolka 



1. For all e G J we have = 1. 

2. Whenever > 0 then t' is also input-stochastic. 

Input-stochastic terms are those for which the weights associated with input 
transitions can be interpreted as probabilities. These are the terms that are 
naturally associated with PIOA, in the sense that the set of all stochastic terms 
in Proc/^o is the set of states of a PIOA with input actions I, output actions 
O, and the single internal action r, and with as the “transition matrix” for 
action e. 

In a later section, we will require the notion of the total rate rt(t) of a closed, 
well-typed term t such that \- t : I ^ O. This quantity is defined as follows: 

eeOU{T> t' 

It is a consequence of the fact that only finitely many actions e can appear in 
term t that rt(t) is finite. Note also that rt(t) does not depend on O. 



6 Equivalence of Terms 

In this section, we define two notions of equivalence for our language, and investi- 
gate their properties. The first equivalence, which we call weighted bisimulation 
equivalence, is a variant of bisimulation that is based on the same ideas as proba- 
bilistic bisimulation [LS91], Hillston’s “strong equivalence” [Hil96], and “strong 
Markovian bisimulation” [HH02]. The second equivalence, called PIOA beha- 
vior equivalence, is based on the notion of the “behavior map” associated with 
a PIOA, which has appeared in various forms in our previous work [WSS94, 
WSS97,SS98], along with motivation for the concept. Additional motivation and 
a detailed comparison of probabilistic bisimulation equivalence and PIOA beha- 
vior equivalence can be found in [Sta03] . In the present paper we focus primarily 
on congruence properties of these equivalences with respect to the operators of 
our language. 



6.1 Weighted Bisimulation Equivalence 

A weighted bisimulation is an equivalence relation R on Proc/^o such that whe- 
never t R t' then for all actions e and all equivalence classes C of i? we have 
Af{t,C) = Af{t',C). Clearly, the identity relation is a weighted bisimulation. 
It is a standard argument to prove that the transitive closure of the union of an 
arbitrary collection of weighted bisimulations is again a weighted bisimulation. 
Thus, there exists a largest weighted bisimulation on Proc/_o- We call 

the weighted bisimulation equivalence relation. 

Define a weighting on terms to be a function /i from Proc /_0 to the non- 
negative real numbers, such that that p,{t) = 0 for all but finitely many terms 
t G Proc/_o- Suppose R is an equivalence relation on Proc/^o- Define the lifting 
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of R to weightings to be the relation R on weightings defined by the following 
condition: R ii and only if /x(C) = ^'(C) for all equivalence classes C of R. 

The following result {cf. [JLYOl]) simply restates the definition of weighted 
bisimulation in terms of weightings. 

Lemma 2. An equivalence relation R on Proc/_o is a weighted bisimulation if 
and only if t Ru implies A'^t R A'^u for all terms t, u and all actions e. 

Lemma 3. Let R be a symmetric relation on terms. If for all terms t,u and all 
actions e we have 

t Ru implies t (i? U A^ u, 

then i? C ~ . 

- i.o 

Lemma 3 can be used to establish that weighted bisimilarity is substitutive 
with respect to the operators of our language. 

Theorem 5. The following hold, whenever the sets of inputs and outputs are 
such that the terms are well-typed and the indicated relations make sense: 

1. If t ~ t' , then 

^(W) ^ i' ffy ^(W) ^ I 

b) b(r) ! t 6(^) ! t' 

c) Rr) ■ t Rr) ■ t 

2. If t\ ~ t'l and t 2 ~ t' 2 , then ti 12 ~ t\ -b t '2 

/l,Ol ^2i02 1,0 

Vti ~ andt 2 ~ t' 2 , t/ien 0 JI 02 LA Oi II 02 ^ 2 - 

Il,Ul ^2,^2 i 

i'’ ^ \0] t' [O]. 

5. If t ~ t' , then t{e^ e'\ ~ e'}. 

6.2 Behavior Equivalence 

In this section, we restrict our attention to the fragment of the language obtai- 
ned by omitting internal actions and hiding. Let Proc^o denote the portion of 
Proc/,o contained in this fragment. The full language can be treated, but the 
definition of behavior equivalence becomes more complicated and requires the 
use of fixed-point techniques, rather than the simple inductive definition given 
below. 

Behavior equivalence is defined by associating with each closed term t with 
h t : / =b O a certain function which we call the behavior of t. Terms t and 
t' will be called behavior equivalent if their associated behaviors are identical. 

To define , some preliminary definitions are required. A rated action is a 
pair (r, e) G [0,oo) x Act. Rather than the somewhat heavy notation (r, e), we 
usually denote a rated action by an expression in which the rate appears as 
a subscript preceding the action. A finite sequence 

ri ^lv2 ^2 ' ' • Tn 
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of rated actions is called a rated trace. We use e to denote the empty rated trace. 

An observable is a mapping from rated traces to real numbers. We use Obs 
to denote the set of all observables. The derivative of an observable by a 
rated action is the observable 'P defined by d/{a) = a) for all rated 

traces a. Borrowing notation from the literature on formal power series (of which 
observables are an example), we write to denote the derivative of <P by 

the rated action ^.e. 

To each term t in Proc^o associate a transformation of observables: 

: Obs ^ Obs 

according to the following inductive definition: 

B?mre a) = Y,A?{t,t') B%+,,^t)e~^d>]{a). 

t' 

Terms t and f in Proc^o are called behavior equivalent and we write t = P, if 

B? = B0. 

Intuitively, in the definition of B^ [‘P\ (a) , one should think of the rated trace a 
as giving certain partial information about a particular set of execution trajecto- 
ries that might be traversed by a process t in combination with its environment. 
In particular, if a = then eiC 2 . . . e„ is the sequence of actions 

performed in such a trajectory (including both input and output actions) and 
riV 2 ■ ■ - Vn is the sequence of output rates associated with the successive states 
visited by the environment in such a trajectory. The observable ^ should be 
thought of as a way of associating some numeric measure, or reward, with tra- 
jectories. By “unwinding” the definition of B‘^['P]{a), one can see that it amounts 
to a weighted summation of the rewards associated with trajectories a' 

that start from t and that “match” a, in the sense that a and a' have the same 
sequence of actions, but the rates of actions in a' are obtained by adding to the 
rate of the corresponding action in a the total rate rt(w) of a state u reachable by 
process t. Further explanation and examples of what can be done with behavior 
maps can be found in [SS98,Sta03]. 

The next result states that behavior equivalent terms have the same total 
rate, and the same total transition weight for each individual action. 

Lemma 4. Suppose t t' . Then 

B (t, u) = (f, u) for all ee Act. 

2. rt(t) = rt(t'). 

A mistake that we made repeatedly while developing the language and these 
results was to suppose that the choice operator in the language ought to corre- 
spond to sum of behavior maps. This is wrong. The following result shows the 
correct relationship. 
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Lemma 5. Suppose t\ and t 2 are terms, such that \~ t\ + t 2 '■ I ^ O . Then for 
all observables <T, rated actions ^e, and rated traces a' : 

= <?(e) 

BZ+t,mre a') = BZmr+.tit,)e a') + «')■ 



The following result states that behavior maps are compositional with respect 
to the parallel operator. We have proved this result in various forms in our 
previous papers [WSS94,WSS97,SS98]. A proof of the result based on the specific 
definition of behavior map given here appears in [StaOS] . 



Lemma 6. Suppose t\ and t 2 are terms, such that h t\ Oi H 02 12 '■ I ^ O. Then 



B 



o 

tl Oi II02 *2 



= B\ 



Oi 



oB 



O 2 
*2 • 



Lemma 7. Suppose h t{e^e'} : I ^ O. Let mapping h on rated traces be the 
string homomorphism that interchanges and r-e and is the identity mapping 
on all other rated actions. Then 



B^^^^^,^[d>] = Bf[<Poh]oh, 

where O' = O if e' G I, and O' = (0\ {e'}) U {e} if e' G O. 

The preceding lemmas can be used to show that behavior equivalence is sub- 
stitutive with respect to the operations of our language (exclusive of internal 
prefixing and hiding). The proofs are all ultimately by induction on the length 
of the rated trace a supplied as argument, though in the cases of parallel com- 
position and renaming we have been able to hide this “operational” induction 
inside the more “denotational” Lemmas 6 and 7. 



Theorem 6. The following hold, whenever the sets of inputs and outputs are 
such that the terms are well-typed and the indicated relations make sense: 

1. If t = t' , then 

^{w) ^ I ^{w) ^ I 
b) &(r) ! t 6(^) ! t' 

2. If tl = t'l and t 2 = t' 2 , then ti 12 = t'l 1'2 

/i,Oi I21O2 1,0 

3- If tl ^ t'l and t 2 ^ t' 2 , then h o, H 02 h t'l o, II 02 4- 

4- If t , thent{e-^e'} =^t'{e*^e'}. 



6.3 Comparison of the Equivalences 

The following result is a consequence of characterizations, obtained in [StaOS], 
of weighted bisimulation equivalence and behavior equivalence. 

Theorem 7. Suppose t and t' are in Procf^. If t t' , then t t' . 
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In addition, if / = 0 and O = {a, b, c} then we have 

0(1) !6(2) !nil + a(i) !c( 2) !nil 0(2) ! (&(i) ! nil + C(i) ! nil), 

but the same two terms are not related by Thus, weighted bisimulation 
equivalence is a strict refinement of behavior equivalence. 

7 Conclusion 

We have presented a process-algebraic language having input, output, and in- 
ternal transitions, where input actions are labeled by weights and output and 
internal actions are labeled by rates. A set of typing rules is employed to define 
the sets Proc/^o of well-typed terms, which are guaranteed to have transitions 
enabled for all actions a £ I. A readily identifiable subset of the well-typed 
terms are the input-stochastic terms, in which input weights can be interpreted 
as probabilities. The input-stochastic terms are therefore the states of a PIOA, 
so that the language is suitable for writing PIOA-based specifications. We have 
defined two equivalences on the language, a weighted bisimulation equivalence 
defined in the same pattern as the classical probabilistic bisimulation equiva- 
lence, and a so-called “behavior equivalence” whose definition is motivated by 
our previous work on PIOA. Both equivalences were shown to be congruences, 
and we noted that weighted bisimulation equivalence is a strict refinement of 
behavior equivalence. 

A natural direction for future work is to axiomatize the equational theories 
of the two congruences. For weighted bisimulation equivalence, a standard equa- 
tional axiomatization should be possible, and is not likely to yield any surprises. 
The situation for behavior equivalence is a bit different, however. Weighted bisi- 
mulation equivalence is the largest equivalence on terms that respects transition 
weights in the sense of Lemma 2 . Since behavior equivalence relates terms that 
are not weighted bisimulation equivalent, it will not be possible to obtain an 
equational axiomatization of behavior equivalence, at least in the context of a 
theory of equations between terms. However, it appears that it is possible to 
obtain an axiomatization of behavior equivalence in the context of a theory of 
equations between weightings, rather than terms. We are currently working out 
the details of this idea. 
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Abstract. We establish that on the domain of probabilistic automata, 
the trace distribution preorder coincides with the simulation preorder. 



1 Introduction 

Probabilistic automata [9,10,12] constitute a mathematical framework for mo- 
deling and analyzing probabilistic systems, specifically, systems consisting of 
asynchronously interacting components that may make nondeterministic and 
probabilistic choices. They have been applied successfully to distributed algo- 
rithms [3,7,1] and practical communication protocols [13]. 

An important part of a system modeling framework is a notion of external 
behavior of system components. Such a notion can be used to define imple- 
mentation and equivalence relationships between components. For example, the 
external behavior of a nondeterministic automaton can be defined as its set of 
traces — the sequences of external actions that arise during its executions [5]. 
Implementation and equivalence of nondeterministic automata can be defined 
in terms of inclusion and equality of sets of traces. By analogy, Segala [9] has 
proposed defining the external behavior of a probabilistic automaton as its set of 
trace distributions, and defining implementation and equivalence in terms of in- 
clusion and equality of sets of trace distributions. Stoelinga and Vaandrager have 
proposed a simple testing scenario for probabilistic automata, and have proved 
that the equivalence notion induced by their scenario coincides with Segala’s 
trace distribution equivalence [14]. 
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However, a problem with these notions is that trace distribution inclusion 
and equivalence are not compositional. To address this problem, Segala [9] de- 
fined more refined notions of implementation and equivalence. In particular, he 
defined the trace distribution precongruence, <dc, as the coarsest precongruence 
included in the trace distribution inclusion relation. This yields compositionality 
by construction, but does not provide insight into the nature of the <dc relation. 
Segala also provided a characterization of <dc in terms of the set of trace dis- 
tributions observable in a certain principal context — a rudimentary probabilistic 
automaton that makes very limited nondeterministic and probabilistic choices. 
However, this indirect characterization still does not provide much insight into 
the structure of <dCi for example, it does not explain its branching structure. 

In this paper, we provide an explicit characterization of the trace distribution 
precongruence, <dCj for probabilistic automata, that completely explains its 
branching structure. Namely, we show that Vi <dc T ^2 if and only if there 
exists a weak probabilistic (forward) simulation relation from Vi to V 2 - Moreover, 
we provide a similar characterization of <dc for nondeterministic automata 
in terms of the existence of a weak (non-probabilistic) simulation relation. It 
was previously known that simulation relations are sound for <dc [9], for both 
nondeterministic and probabilistic automata; we show the surprising fact that 
they are also complete. That is, we show that, for both nondeterministic and 
probabilistic automata, probabilistic contexts can observe all the distinctions 
that can be expressed using simulation relations. 

Sections 2 and 3 contain basic definitions and results for nondeterministic and 
probabilistic automata, respectively, and for the preorders we consider. These 
sections contain no new material, but recall definitions and theorems from the 
literature. For a more leisurely introduction see [5,12]. Sections 4 and 5 con- 
tain our characterization results for nondeterministic and probabilistic automata. 
Section 6 contains our conclusions. 

A full version of this paper, including all proofs, appears in [4]. 

2 Definitions for Nondeterministic Antomata 

A (nondeterministic) automaton is a tuple A = {Q,q,E,H,D), where Q is a 
set of states, g G Q is a start state, if is a set of external actions, H is a, set 
of internal (hidden) actions with E (1 H = ij), and D C Q x {E U El) x Q is a 
transition relation. We denote if U it by A and we refer to it as the set of actions. 
We denote a transition {q, a, q') of if by g q' . We write q ^ q' if q q' for 
some a, and we write g — >■ if g — >■ g' for some q' . We assume finite branching: for 
each state q the number of pairs (a, q') such that g A g' is finite. We denote the 
elements of an automaton A by Qa, qAj Dj^, Often we use the 

name A for a generic automaton; then we usually omit the subscripts, writing 
simply Q, q, E, H, D, A, and A. We extend this convention to allow indices 
and primes as well; thus, the set of states of automaton A' is denoted by Q). 

An execution fragment of an automaton A is a finite or infinite sequence 
a = goaigi 02 g 2 • • • of alternating states and actions, starting with a state and. 
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if the sequence is finite, ending in a state, where each a^+i, <7^+1) € D. State 
Qq, the first state of a, is denoted by fstate{a). If a is a finite sequence, then the 
last state of a is denoted by lstate{a). An execution is an execution fragment 
whose first state is the start state q. We let frags{A) denote the set of execution 
fragments of A and frags* (A) the set of finite execution fragments. Similarly, 
we let execs{A) denote the set of executions of A and execs* (A) the set of finite 
executions. 

Execution fragment a is a prefix of execution fragment a', denoted by a < 
a', if sequence a is a prefix of sequence a'. Finite execution fragment a\ = 
qoQiqi ■ • ■ Ukqk and execution fragment 02 can be concatenated if fstate{a2) = qk- 
In this case the concatenation of and 02, o;i <^2, is the execution fragment 
q^aiqi • • ■ akOC2- Given an execution fragment a and a finite prefix a', a t> a' 
(read a after a') is defined to be the unique execution fragment a” such that 
a = a' a” . 

The trace of an execution fragment a of an automaton A, written trace^{a), 
or just trace{a) when A is clear from context, is the sequence obtained by re- 
stricting a to the set of external actions of A. For a set S of executions of A, 
traces jx{S) , or just traces{S) when A is clear from context, is the set of traces 
of the executions in S. We say that /3 is a trace of A if there is an execution a 
of A with trace{a) = (i. Let traces{A) denote the set of traces of A. We define 
the trace preorder relation on automata as follows: Ai <t A2 iff Ei = E2 and 
traces (Ai) C traces (A2). We use =t to denote the kernel of <t- 

If a G A, then q q' iff there exists an execution fragment a such that 
fstate{a) = q, lstate{a) = q' , and trace{a) = trace{a). (Here and elsewhere, we 
abuse notation slightly by extending the trace function to arbitrary sequences.) 
We call q q' a weak transition. We let tr range over either transitions or weak 
transitions. For a transition tr = {q,a,q'), we denote q by source(tr) and q' by 
target{tr). 

Composition: Automata Ai and A2 are compatihle if Hi C\ A2 = A\ C\ H2 = 0. 
The composition of compatible automata Ai and A2, denoted by A1HA2, is the 
automaton A = (Qi x Q2, (qi,q2),Ei U E2,Hi U H2,D) where D is the set of 
triples {q,a,q') such that, for i G {1,2}: 

a e Ai ^ (7rj(g),a,7ri(g')) G A and a ^ Ai ^ TTi{q) = TTi{q'). 

Let a be an execution fragment of A1HA2, i G {1,2}. Then ni{a), the 
projection of a, is the sequence obtained from a by projecting each state onto its 

component, and removing each action not in Ai together with its following 
state. Sometimes we denote this projection by a\Ai- 

Proposition 1. Let Ai and A2 be automata, with Ai <t A 2 . Then, for each 
automaton C compatihle with both Ai and A2, xIi||C <t A2IIC. 

Simulation Relations: Below we define two kinds of simulation relations: a for- 
ward simulation, which provides a step-by-step correspondence, and a weak for- 
ward simulation, which is insensitive to the occurrence of internal steps. 
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Namely, relation R C Qi x Q2 is a, forward simulation (resp., weak forward 
simulation) from A\ to A2 iff Ei = E2 and both of the following hold: 

1. qi R q2- 

2. If qi R q2 and <71 — >■ q[, then there exists q'2 such that (72 q'2 (resp., 

<72 ^ q'2) and q[ R q'2- 

We write Ai <f A2 (resp., Ai <wF A2) when there is a forward simulation 
(resp., a weak forward simulation) from Ai to A2- 

Proposition 2. Let Ai and A2 be automata. Then: 

1. If Ai A2 then Ai '^wF A2- 

2. If Hi =7/2 = 0, then Ai <f A2 iff Ai <wF A2- 

3. If Ai 'EwF 2I2 then A\ 'Eit A2- 

Proof. Standard; for instance, see [6]. 

Tree- Structured Automata: An automaton is tree- structured if each state can 
be reached via a unique execution. The unfolding of automaton A, denoted by 
Unfold{A), is the tree-structured automaton B obtained from A by unfolding 
its transition graph into a tree. Formally, Qb = execs*{A), qs = qAt Eb = Eji, 
Hb = Hji, and Db = {(o:, a, aaq) \ (lstate{a), a, q) € Ea}- 

Propositions. A=f Unfold{A). 

Proof. See [6]. It is easy to check that the relation R, where a RqiS lstate{a) = 
q, is a forward simulation from Unfold(A) to A and that the inverse relation of 
i? is a forward simulation from A to Unfold(A). 

Proposition 4. A=t Unfold{A). 

Proof. By Proposition 3 and Proposition 2, Parts 1 and 3. 



3 Definitions for Probabilistic Automata 

A discrete probability measure over a set A is a measure /i on (A, 2^) such that 
/x(A) = 1. A discrete sub-probability measure over A is a measure /i on (A, 2^) 
such that /i(A) < 1. We denote the set of discrete probability measures and 
discrete sub-probability measures over A by Disc{X) and SubDisc(X) , respec- 
tively. We denote the support of a discrete measure p,, i.e., the set of elements 
that have non-zero measure, by supp{pt). We let 6{q) denote the Dirac measure 
for q, the discrete probability measure that assigns probability 1 to {q}. Finally, 
if A is finite, then U(X) denotes the uniform distribution over A, the measure 
that assigns probability 1/|A| to each element of A. 

A probabilistic automaton (PA) is a tuple V = {Q,q, E, H, D), where all 
components are exactly as for nondeterministic automata, except that D, the 
transition relation, is a subset oi Q x {E\J H) x Disc{Q). We define A as before. 
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We denote transition {q, a, /x) by g A /i. We assume finite branching: for each 
state q the number of pairs (a,/x) such that g A /x is finite. Given a transition 
tr = (q,a,^) we denote g by source(tr) and /x by target{tr). 

Thus, a probabilistic automaton differs from a nondeterministic automaton 
in that a transition leads to a probability measure over states rather than to a 
single state. A nondeterministic automaton is a special case of a probabilistic 
automaton, where the last component of each transition is a Dirac measure. Con- 
versely, we can associate a nondeterministic automaton with each probabilistic 
automaton by replacing transition relation D by the relation D' given by 

(g, a, g') G D' 3^ : (g, a, /x) G D A fi(q') > 0. 

Using this correspondence, notions such as execution fragments and traces carry 
over from nondeterministic automata to probabilistic automata. 

A scheduler for a PA V is & function cr : frags* (V) -A SubDisc(D) such 
that tr G supp{a{a)) implies source(tr) = Istate(a). A scheduler cr is said to be 
deterministic if for each finite execution fragment a, either a{a){D) = 0 or else 
a{a) = S{tr) for some tr G D. 

A scheduler cr and a state go induce a measure /x on the a-field generated by 
cones of execution fragments as follows. If a = gooigi • • • a^qk is a finite execution 
fragment, then the cone of a is defined by Cq, = {a' G frags (V) \ a < a'}, and 
the measure of Ca is defined by 

= n E CT(goOi • • • a^qi){{qi,ai+i, p,'))n'{q^+i) 

iefO.fc— 1} 

Standard measure theoretical arguments ensure that p, is well defined. We call the 
measure p a probabilistic execution fragment of V and we say that p is generated 
by cr and go. We call state go the first state of p and denote it by fstate{p). If 
fstate{p) is the start state g, then p is called a probabilistic execution. 

The trace function is a measurable function from the cr-field generated by 
cones of execution fragments to the a-field generated by cones of traces. Gi- 
ven a probabilistic execution fragment p, we define the trace distribution of p, 
tdist{p), to be the image measure of p under trace. We denote the set of trace 
distributions of probabilistic executions of a PA P by tdists{P). We define the 
trace distribution preorder relation on probabilistic automata by: Pi <o P 2 iff 
El = E 2 and tdists{Pi) C tdists{P 2 ). 

Combined Transitions: Let {g A pi}i^i be a collection of transitions of P, and 
let {pi}i^j be a collection of probabilities such that '^i^jPi = 1. Then the triple 
{q,a,^^^j PiPi) is called a combined transition of P. 

Gonsider a probabilistic execution fragment p that assigns probability 1 to 
the set of all finite execution fragments with trace a. Let p' be the measure 
defined by p'{q) = p{{a \ lstate{a) = g}). Then fstate(p) A> p' is a weak com- 
bined transition of P. If p can be generated by a deterministic scheduler, then 
f state {p) =A p' is a weak transition. 
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Proposition 5. Let {tri}i^i be a collection of weak combined transitions of a 
PA V , all starting in the same state q, and all labeled by the same action a, 
and let {pi}i^i be probabilities such that ~ 1- Then Pitri is a weak 

combined transition ofV labeled by a. 

Proof See [9] or [11]. 

Composition: Two PAs, Vi and V 2 , are compatible if i/i fl A 2 = Ai fl H 2 = 

0. The composition of two compatible PAs 'Pi,V 2 , denoted by P 1 HP 2 , is the 
PA V = {Qi X Q 2 , {qi,q 2 ),Ei U E 2 ,Hi U H 2 ,D) where D is the set of triples 
{q,a,fj,i X P 2 ) such that, for i G {1,2}: 



a e Ai^ {TTi{q),a, Pi) G A and a ^ Ai ^ = <5(7rj(g)). 

The trace distribution preorder is not preserved by composition [10,11]. Thus, 
we define the trace distribution precongruence, <DCt to be the coarsest precon- 
gruence included in the trace distribution preorder <£>. This relation has a simple 
characterization : 

Proposition 6. Let V\ and V 2 be PAs. Then V\ <dc ’^2 iff for every PA C 
that is compatible with both Vi and V 2 , Pi\\C <d A||C- 

Simulation Relations: The definitions of forward simulation and weak forward 
simulation in Sect. 2 can be extended naturally to PAs [10]. However, Segala 
has shown [8] that the resulting simulations are not complete for <dCi and 
has defined new candidate simulations. These new simulations relate states to 
probability distributions on states. 

In order to define formally the new simulations we need three new con- 
cepts. First we show how to lift a relation between sets to a relation bet- 
ween distributions over sets [2]. Let R C X x Y. The lifting of i? is a re- 
lation R' C Disc{X) X Disc{Y) such that px R' Py iff there is a function 
■u; : A X y — >• [0, 1] that satisfies: 

1. If w{x, y) > 0 then x Ry. 

2. For each x e X, J2yeY = Ax{x). 

3. For each y GY, J2xsx v) = Priy)- 

We abuse notation and denote the lifting of a relation i? by i? as well. 

Next we define a flattening operation that converts a measure p contained 
in Disc{Disc{X)) into a measure fiatten{p) in Disc{X). Namely, we define 

fiatten{p) = E p{p)p . 

p^supp{fY) 

Finally, we lift the notion of a transition to a hyper-transition [11] that begins 
and ends with a probability distributions over states. Thus, let P be a PA and 
let p G Disc{Q). For each q G supp{p), let q ^ pqhe & combined transition of 
V. Let p' be 'J2qesupp(p.) A{f)pq. Then p p' is called a hyper-transition of V. 
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Also, for each q G supp{y), let p.q be a weak combined transition of V. Let 
p! be '^q^supp(fi) Then p' is called a weak hyper-transition of V. 

We now define simulations for probabilistic automata. A relation RQ Qi x 
Disc{Q2) is a probabilistic forward simulation (resp., weak probabilistic forward 
simulation) from PA Vi to PA V2 iff Ei = E2 and both of the following hold: 

1. qi R S{q 2 ). 

2. For each pair qi,p2 such that <71 R p2 and each transition qi A- p[ there 
exists a distribution p'2 G Disc{Disc{Q2)) such that p'l R p'2 and such that 
P2 A flatten{p2) (resp., p2 flatten{p2)) is a hyper-transition (resp., a 
weak hyper-transition) of Z?2- 

We write Pi <pf P2 (resp., Pi <wPF P2) whenever there is a probabilistic 
forward simulation (resp., a weak probabilistic forward simulation) from Pi to 
P2- Note that a forward simulation between nondeterministic automata is a 
probabilistic forward simulation between the two automata viewed as PAs: 

Proposition 7. Let Ai and A2 be nondeterministic automata. Then: 

1. Ai <F A2 implies Ai ^pf A2, and 

2 . Ai <wF A2 implies Ai <wPF A2- 



Proposition 8. Let Pi and P2 be PAs. Then: 

1 . If Pi tfpF P2 then Pi <wPF P2- 

2 . If Hi =H2 = % then Pi <pf P2 iff Pi <u,pf P2. 

3 . If Pi <wPF P2 then Pi <dc P2- 

Proof See [9]. 

Tree- Structured Probabilistic Automata: The unfolding of a probabilistic auto- 
maton P, denoted by Unfold{P), is the tree-structured probabilistic automa- 
ton Q obtained from P by unfolding its transition graph into a tree. Formally, 
Qq = execs*{P), qQ = qp, Eq = Ep, Hq = Hp, and Dq = {(a,a,/x) | 
3 ^i{lstate{a),a, p!) G Dp,\/qp,'{q) = p,{aaq)}. 

Proposition 9. P =pf Unfold (P). 

Proof. It is easy to check that the relation R where a RS{q) iff lstate{a) = q is 
a probabilistic forward simulation from Unfold (fP) to P and that the “inverse” 
of i? is a probabilistic forward simulation from P to Unfold{P). 



Proposition 10. P =dc Unfold{P). 

Proof. By Proposition 9, and Proposition 8, Parts 1 and 3. 
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4 Characterizations of ^ dc - Nondeterministic Automata 

In this section, we prove our characterization theorems for <dc for nondeter- 
ministic automata: Theorem 1 characterizes <dc fo terms of <p, for automata 
without internal actions, and Theorem 2 characterizes <dc in terms of <wF, 
for arbitrary nondeterministic automata. In each case, we prove the result first 
for tree-structured automata and then extend it to the non-tree-structured case 
via unfolding. The interesting direction for these results is the completeness di- 
rection, showing that Ai <dc A 2 implies the existence of a simulation relation 
from Ai to A2- 

Our proofs of completeness for nondeterministic automata use the simple cha- 
racterization in Proposition 6, applied to a special context for Ai that we call the 
dual probabilistic automaton of Ai- Informally speaking, the dual probabilistic 
automaton of a nondeterministic automaton A is a probabilistic automaton C 
whose traces contain information about states and transitions of A. C’s states 
and start state are the same as those of A. For every state q of A, C has a 
self-loop transition labeled by q. Also, if Tr is the (nonempty) set of transitions 
from q in A, then from state q, C has a uniform transition labeled by ch to 
{target(tr) \ tr G Tr}. 

Definition 1. The dual probabilistic automaton of an automaton A is a PA C 
such that 

- Qc = Qa, QC = QA, 

- Ec = Qa^ {ch}, He = 0 , 

- Dc = {{q, ch,U{{q' \ q g'})) | q ^,4} U {{q,q,q) \ q G Qa}- 

Since C and A share no actions, C cannot ensure that its traces faithfully 
emulate the behavior of A. However, an appropriate scheduler can synchronize 
the two automata and ensure such an emulation. 



4.1 Automata without Internal Actions 

We first consider tree-structured automata. 

Proposition 11 . Let Ai and A2 be tree -structured nondeterministic automata 
without internal actions, such that A\ <dc A2- Then A\ <f A2- 

Proof. Assume that Ai <dc A2. Let C be the dual probabilistic automaton of 
Ai. Without loss of generality, we assume that the set of actions of C is disjoint 
from those of Ai and A2. This implies that C is compatible with both Ai and 
A2. 

Consider the scheduler ai for Ai\\C that starts by scheduling the self-loop 
transition labelled by the start state of C, leading to state (gi,gi), which is of 
the form (q,q). Then cti repeats the following as long as q — >-i: 



1. Schedule the ch transition of C, thus choosing a new state q' of Ai. 
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2. Schedule (g, a, q') in Ai, where a is uniquely determined by the selected state 
q' (recall that Ai is a tree). 

3. Schedule the self-loop transition of C labeled by q', resulting in the state 
(g', q'), which is again of the form (g, g). 

Scheduler ai induces a trace distribution /tt- Observe that satisfies the fol- 
lowing three properties, for all finite traces (3 and for all states g: 

fJ'TiCqJ = 1 ( 1 ) 

g -)>! ^ fJ-T{Ci3qch) = f^T{C/3q) (2) 

f^riClSqch) >0 ^ ^J-T{C|3qchaq') = fJ-T{Cl3qch) (3) 

a,g'\gAiq' 

Since Ai <dc ~^2, Proposition 6 implies that /ut is also a trace distribution 
of ^ 2 ||C- That is, there exists a probabilistic execution ^ of -42||C, induced by 
some scheduler 172 , whose trace distribution is ^t- Now we define a relation R\ 
gi R g 2 if and only if there exists an execution a of -42||C such that: 

1 . lstate{a) = (q2,qi), 

2. n{Ca) > 0, and 

3. CT 2 (q;) assigns a non-zero probability to a transition labeled by q\. 

We claim that i? is a forward simulation from A\ to A2- For the start condition, 
we must show that gi R q 2 - Define execution a to be the trivial execution 
consisting of the start state (g 2 , gi). Conditions 1 and 2 are clearly satisfied. For 
Condition 3, observe that, by Equation (1), iiriCq^) = 1. Therefore, since there 
are no internal actions in A2 or C, the only action that can be scheduled initially 
by (72 is gi. Therefore, U 2 {a) assigns probability 1 to the unique transition whose 
label is gi, as needed. 

For the step condition, assume gi R q2, and let gi — q[. By definition of 
R, there exists a finite execution a of ^ 2 ||C, with last state (g 2 ,gi), such that 
/i(C'a) > 0 and ( 72 ( 0 ;) assigns a non-zero probability to a transition labeled by 
gi. Therefore, the sequence a' = agi(g 2 ,gi) is an execution of -42||C such that 
> 0. Therefore, ^J^T[C| 3 gl] > 0, where (3 = trace{a). Since gi enables at 
least one transition in Ai, Equation (2) implies that UTiCpq^ch) = fJ^TiC^q-^). 
Then since A2 and C have no internal actions, a 2 must schedule action ch from 
a' with probability 1. 

Since action ch leads to state q[ of C with non-zero probability, which enables 
only actions q[ and ch, by Equation (3), CT 2 schedules at least one transition 
labeled by a, followed by a transition labeled by q[. Observe that the transition 
labeled by a is a transition of A2- Let (g 2 , a, q'2) be such a transition. Then, the 
sequence a” = a' ch{q2, q'i)a{q'2, q'l) is an execution of -42||C such that fJ,{Ca") > 0 
and such that cr 2{a”) assigns a non-zero probability to a transition labeled by 
q[. This shows that q[ R q'2 and completes the proof since we have found a state 
q'2 such that g 2 A 2 q'2 and g( R q'2- 
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Now we present our main result, for general (non-tree-structured) nondeter- 
ministic automata without internal actions. 

Theorem 1 . Let Ai, A2 be nondeterministic automata without internal ac- 
tions. Then Ai <dc ~^2 if ond only if Ai <p A2- 

Proof. First we prove soundness of forward simulations: 

Ai <p A 2 (Proposition 7, Part 1) 

Ai <PF A 2 ^ (Proposition 8, Part 1) 

Ai <wPF A 2 ^ (Proposition 8, Part 3) 

Ai <DC A 2 . 

Completeness is established by: 

<DC A 2 (Proposition 10) 

Unfold{A\) <DC A\ <DC A2 ^DC Unfold{A2) {tfiDC is transitive) 
Unfold{Ai) <DC Unfold{A2) (Proposition 11) 

Unfold{Ai) <F Unfold{A2) ^ (Proposition 3) 

<F Unfold(Ai) <F Unfold{A2) <f A2 ^ {<f is transitive) 

Ai <F A2 . 



4.2 Automata with Internal Actions 

Next we extend the results of Sect. 4.1 to automata that include internal actions. 
The proofs are analogous to those in Sect. 4.1, and use the same dual probabilistic 
automaton. The difference is that, in several places in the proof of Proposition 12, 
we need to reason about multi-step extensions of executions instead of single-step 
extensions. Again, we begin with tree-structured automata. 

Proposition 12 . LetAi, A 2 be tree- structured nondeterministic automata such 
that Ai ^DC A2. Then A\ ^wF A2. 

Proof. Assume that Ai <dc A2. Let C be the dual probabilistic automaton of 
Ai, and define scheduler cti exactly as in the proof of Proposition 11. Equati- 
ons (1), (2) and (3) hold in this case as well. We redefine relation R: qi R q 2 iff 
there exists an execution a of A2IIC such that: 

1. lstate{a) = (q 2 ,qi), 

2. ^{Ca) > 0, and 

3. there exists an execution fragment, a', of A2IIC, such that trace{a') = qi 
and yi{Ca''a') > 0. 

We claim that i? is a weak forward simulation from Ai to A 2 . For the start 
condition, we show that qi R q 2 - Define a to be the trivial execution consisting of 
the start state (92, 9i); this clearly satisfies Conditions 1 and 2. For Condition 3, 
observe that, by Equation (1), yLT{Cqf) = 1. The inverse image under the trace 
mapping for A2IIC, of Cq^, is a union of cones of the form Ca', where a' is 
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an execution of >42||C with trace qi; therefore, there exists such an a' with 
fJ,(Ca>) > 0. Since the first state of a' is {q 2 , qi), a'~'a' = a' . Thus, fi{Ca"a') > 0 , 
as needed. 

For the step condition, assume qi R q2, and let qi Ai q[. By definition 
of R, there exists a finite execution a of -42||C, with last state {q2,qi), such 
that fi{Ca) > 0 and there exists an execution fragment, a', of ^ 2 ||C, such that 
trace{a') = qi and ^i{Ca^a') > 0. Let /3 = trace{a); then trace{a a') = (3q\, 
and so fiT{Ci 3 qi) > 0. Since qi enables at least one transition in Ai, Equation (2) 
implies that fJ,T{Ci 3 qj^ch) = P^T{Cf 3 q^). Thus there exists an execution fragment 
a" of A2WC with trace ch such that a'- a' a") > 0. Furthermore, since the 
transition of C labeled by ch leads to state q'l with non-zero probability, we can 
assume that the last state of a" is of the form (g", q[) for some state q" . 

Since iJ^TiCpqich) > Oj Equation (3) applies. Furthermore, since from the last 
state of a” the only external actions of C that are enabled are ch and q[ , there 
exists an execution fragment a'" with trace aq[ (a is uniquely determined by q[ 
since Ai is tree-structured), such that > 0. 

Now we split a'" into a'(' "" a'2 , where trace{a'(') = a. Then the last state 
of a'(' is of the form {q'",q'i). We claim that q[ R q'" . Indeed, the execu- 
tion a ^ a' ^ a" ^ a'" ends with state {q'",q[) (Condition 1) and satisfies 
> 0 (Condition 2). Furthermore, a '2 is an execution frag- 
ment that satisfies Condition 3. 

It remains to show that q2^ q'" ■ For this, it suffices to observe that the 
execution fragment (o' a" ^ a'") \A2 has trace a, first state q2, and last state 



Theorem 2. Let Ai, A 2 he nondeterministic automata. Then A\ <dc ~^2 if 
and only if Ai <wF ~^ 2 - 

Proof. Analogous to the proof of Theorem 1 . 

5 Characterizations of ^ dc - Probabilistic Automata 

Finally, we present our characterization theorems for <dc for probabilistic auto- 
mata: Theorem 3 characterizes <dc in terms of <pf, for PAs without internal 
actions, and Theorem 4 characterizes <dc in terms of <wPF, for arbitrary PAs. 
Again, we give the results first for tree-structured automata and extend them 
by unfolding. 

Our proofs of completeness for PAs are analogous to those for nondetermi- 
nistic automata. We define a new kind of dual probabilistic automaton C for a 
PA V, which is slightly different from the one for nondeterministic automata. 
The main differences are that the new C keeps track, in its state, of transitions 
as well as states of the given PA V, and that the new C has separate transitions 
representing nondeterministic and probabilistic choices within V. Specifically, 
the states of C include a distinguished start state, all the states of P, and all 
the transitions of V. C has a special transition from its own start state qc to 




Compositionality for Probabilistic Automata 



219 



the start state of V, q-p, labeled by qp. Also, from every state q of V, C has 
a uniform transition labeled by ch to the set of transitions of V that start in 
state q. Finally, for every transition tr of V, and every state q in the support of 
target{tr), C has a transition labeled by q from tr to q. 

Definition 2. The dual probabilistic automaton of a PA V is a PA C such that 

- Qc = {qc} U Qv U Dp, 

- Ec = Qp U {ch}, He = 0, 

- Dc = {{qc,qv,qv)}^ 

{(g, ch,U{{tr G Dp I source(tr) = q})) | q G Qp}A 
{{tr,q,q) \ tr G Dp,qG supp{target{tr))}. 



Proposition 13. Let Vi, V2 he tree- structured probabilistic automata without 
internal actions, such that Vi <dc ^2- Then Vi <pf ^2- 



Proof (Sketch:) Assume that Vi <dc ’^2- Let C be the dual probabilistic au- 
tomaton of V\. Consider the scheduler cti for Pi||C that starts by scheduling 
the transition of C from the start state of C to the start state of Vi, leading to 
state {qi,qi), which is of the form (q,q). Then ai repeats the following as long 
as q — >-i: 



1. Schedule the ch transition of C, thus choosing a transition tr of Vi. 

2. Schedule transition tr of Vi, leading V\ to a new state q' . 

3. Schedule the transition of C labeled by the state q' , resulting in the state 
{q' , q'), which is again of the form {q, q). 

Scheduler ui induces a trace distribution pip. Since Vi <dc ^2, Proposition 6 
implies that fip is also a trace distribution of P2WC. That is, there exists a 
probabilistic execution p, of P2IIC, induced by some scheduler (T2, whose trace 
distribution is pp- 

For each state qi in Qi, let 0q^ be the set of finite executions of A2WC whose 
last transition is labeled by qi. For each state q2 of P2, let 0qi,q2 be the set of 
finite executions in 0q^ whose last state is the pair (<72, 9i)- Now define relation 
R: qi R p2 iff for each state q2 of Q2, 



^^2(92) 






(4) 



We claim that i? is a probabilistic forward simulation from Vi to V2 ■ The proof 
of this claim appears in [4] . 



Theorem 3. Let Vi, V2 be probabilistic automata without internal actions. 
Then Vi <dc ’P2 if and only ifVi <pf P2- 

Proposition 14. Let V\, V2 be tree- structured probabilistic automata such that 
Pi "£dc P2- Then Pi <wPF P2- 
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Proof. (Sketch:) We use the same dual automaton C. Define scheduler cti and 
relation R exactly as in the proof of Proposition 13. Now i? is a weak probabilistic 
forward simulation, as shown in [4]. 



Theorem 4. Let Vi, V 2 he probabilistic automata. Then Vi <dc ^2 if and only 

if 'Pi <wPF P2- 



6 Concluding Remarks 

We have characterized the trace distribution precongruence for nondeterministic 
and probabilistic automata, with and without internal actions, in terms of four 
kinds of simulation relations, <f, <wF, ^pf, and <wPF- In particular, this 
shows that probabilistic contexts are capable of observing all the distinctions 
that can be expressed using these simulation relations. Some technical improve- 
ments are possible. For example, our finite branching restriction can be relaxed 
to countable branching, simply by replacing uniform distributions in the dual 
automata by other distributions such as exponential distributions. 

For future work, it would be interesting to try to restrict the class of sche- 
dulers used for defining the trace distribution precongruence, so that fewer di- 
stinctions are observable by probabilistic contexts. It remains to define such 
restrictions and to provide explicit chacterizations of the resulting new notions 
of <DCi for instance in terms of button pushing scenarios. 
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Abstract. Temporal logics over Mazurkiewicz traces have been exten- 
sively studied over the past fifteen years. In order to be usable for the 
verification of concurrent systems they need to have reasonable complex- 
ity for the satisfiability and the model checking problems. Whenever a 
new temporal logic was introduced, a new proof (usually non trivial) 
was needed to establish the complexity of these problems. In this paper, 
we introduce a unified framework to define local temporal logics over 
traces. We prove that the satisfiability problem and the model check- 
ing problem for asynchronous Kripke structures for local temporal logics 
over traces are decidable in PSPACE. This subsumes and sometimes im- 
proves all complexity results previously obtained on local temporal logics 
for traces. 



1 Introduction 

Over the past fifteen years, a lot of papers have been devoted to the study of 
temporal logics over partial orders and in particular over Mazurkiewicz traces. 
This is motivated by the need for specification languages that are suited for 
concurrent systems where a property should not depend on the ordering be- 
tween independent events. Hence logics over linearizations of behaviors are not 
adequate and logics over partial orders were developed. In order to be useful for 
the verification of concurrent systems, these specification languages should enjoy 
reasonable complexity for the satisfiability and the model checking problems. 

Temporal logics over traces can be classified in global ones and local ones. 
Here we are interested in the latter. They are evaluated at single events corre- 
sponding to local views of processes. Process based logics [13,14,11] were intro- 
duced by Thiagarajan and shown to be decidable in EXPTIME using difficult 
results on gossip automata. A specific feature of process based logics is the until 
modality that can only walk along a single process. Another approach was taken 
in [1] were the until is existential and walks along some path in the Hasse diagram 
of the partial order. The decidability in PSPACE of this logic was shown using 
a tableau construction. Due to this existential until, this logic is not contained 
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in first order logic of traces [4]. In the quest for an expressively complete local 
temporal logic over traces, a universal until was introduced in [4] and filtered 
variants together with past modalities were needed in [7] . Again these logics were 
proved to be decidable in PSPACE using alternating automata. For each local 
logic, a specific proof has to be developed for the complexity of the satisfiability 
or the model checking problem. Such proofs are usually difficult and span over 
several pages. 

In this paper, we introduce a unified framework to define local temporal 
logics over traces (Sect. 5). This approach is inspired from [12]. Basically, a 
local temporal logic is given by a finite set of modalities whose semantics is 
given by a monadic second order (MSO) formula having a single individual free 
variable. We call these logics MSO-definable. We show that all local temporal 
logics considered so far (and much more) are MSO-definable. Then we show 
that the satisfiability problem and the model checking problem for asynchronous 
Kripke structures for MSO-definable temporal logics over traces are decidable in 
PSPACE (Sect. 6). This subsumes and sometimes improves all the complexity 
results over local logics discussed above. We would like to stress that the proofs 
for our main results are actually simpler than some proofs specific to some local 
logics and even from a practical point of view, our decision procedures are as 
efficient as specific ones could be. Also, our results may be surprising at first 
since the satisfiability problem for MSO is non elementary, but because we use 
a finite set of MSO-definable modalities our decision problems stay in PSPACE. 

Actually, we start by introducing our MSO-definable temporal logics for 
words (Sect. 3) and we prove that the satisfiability and the model checking 
problems are decidable in PSPACE (Sect. 4). Though words are special cases of 
traces, we believe that the paper is easier to follow in this way and that results 
for words are interesting by themselves. A reader that is not familiar with traces 
can easily understand the results for words. Other general frameworks for tem- 
poral logics over words have been studied [17,16,9]. In [17] the modalities are 
defined by right linear grammars extended to infinite words while in [16,9] the 
modalities are defined by various kinds of automata (either non-deterministic 
Biichi, or alternating or two-way alternating). Note that in these approaches, 
the automata that define the modalities are part of the formulas. In all cases, 
the satisfiability problem is proved to be decidable in PSPACE. Our approach 
is indeed similar but differs by the way modalities are defined. We have chosen 
MSO modalities because this is how the semantics of local temporal logics over 
traces is usually defined. In this way, we trivially obtain as corollaries of our 
main theorems the complexity results for local temporal logics over traces. It 
is also possible to give automata for the local modalities over traces and apply 
the results of [16,9]. This is basically what is done in [5] but such a reduction is 
difficult and long. 

2 Monadic Second Order Logic 

Let U be an alphabet. Monadic second order logic (MSO) is a formalism to 
speak about the properties of words over S. It is based on individual variables 
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x,y,z, . . . that range over positions in the word {i.e., over elements of N) and 
on set variables X,Y,Z,... that range over sets of positions {i.e., over subsets 
of N). Its atomic formulas are x < y, Pa{x) for a € S and X{x) where x,y 
are individual variables and X is a set variable. The use of Boolean connectives 
A,V,-i,— >■ etc and quantification 3a; and 3X over individual and set variables 
allows to build more complex formulas. We denote by MSOi;(<) the set of MSO 
formulas over the alphabet X. 

To define the semantics of a formula, let w = WqWi ■ ■ ■ G E°° = U E‘^. 
We denote by licl the length of w which may be finite or infinite. A position in 
w is an integer p with 0 < p < |w|. A valuation in w for the formula p is a 
mapping v that assigns positions in w to the free individual variables of ip and 
sets of positions in w to the free set variables of (p. 

w, V ^MSO x<y\i v{x) < iy{y) 
w,n ^MSO Pa{x) if = a 

w,n ^MSO X{x) if v{x) G v{X) 

w, V ^MSO 3xp if w,v[x ^ p] ^MSO V for some position p fa w 

w, V ^MSO 3Xp if w, iy[X i— >■ P] |=mso '•P for some set P of positions in w 

Here, v[x ^ p] is the mapping that coincides with u except for the value of x 
which is p; v\X i— >■ P] is defined similarly. If p is an MSO formula with free 
variables X\, . . . , Xi, x\, . . . ,Xk and is a valuation in a word w then we also 
write w hiviso p(i^{Xi), ... , iy{Xi), ly(xi), ... , v{xk)) for w, v |=mso P- 



3 A Uniform Framework for Temporal Logics over Words 



We introduce our approach on an example. We use PLTL (linear temporal logic 
with past) because it is well-known and allows us to introduce easily the main 
definitions. We start with a finite alphabet X and recall that the syntax of PLTL 
is given by 

p ::= a \ ->p \ p\/p\y,p\Yp\p\)p\pSp 

where a ranges over X. We assume the reader is familiar with the semantics of 
PLTL over words: w,p ^pltl P means that the formula p holds in the word w 

at position p. Here w = wqWi • • • G X°° and 0 < p < |r(;|. For instance, 

w,p hPLTL a if Wp = a 

w,p hPLTL Y p if p > 0 and w,p-l |=pltl P 

w,p Hpltl p U if 3fc(p < k and w, k ^pltl V' ^nd 

w,j hpLTL P for all p < j < fc 



In order to define PLTL in our framework, we start with a vocabulary B of 
modality names and a mapping arity : H — >■ N giving the arity of each modality. 
The modality names of arity 0 are the atomic formulas of TL(H). Other formulas 
are obtained from atomic formulas by the application of modalities. The syntax 
of the temporal logic TL(H) based on the vocabulary B is then 



P 



X! ■ y ,p )- 

arity (M) 



MG-B 
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For PLTL we consider Bpltl = S VJ {-i, X, Y, V, U, S} and the arity is 0 for 
elements in S, 1 for -i,X, Y and 2 for V, U,S. The syntax of Tlj{BppTp) is then 
precisely that of PLTL. 

In order to define the semantics of TL(_B) we consider a mapping |— ] : B — i- 
MSOi;(<) in such a way that if M G S is of arity I then |M] is an ^-ary MSO 
modality, that is, an MSO formula with i free set variables Xi , ... ,Xg and one 
free individual variable x. The intuition is that a word w at position p satisfies 
. . . , (pf^) if w, V |=MSO ■ 5 x) when v{x) = p and for each i, 

iy{Xi) is the set of positions in w where pi holds. For PLTL, the mapping |— ] 
is given by 



H(a;) 

|-'](Xi,a;) 

IX] (Xi,a:) 

IY] (Xi,a:) 
IV](Xi,X2,a;) 
IU](Xi,X2,x) 
ISl(Xi,X2,x) 



Pa{x) for a € S 
-'Xi(x) 

Xi{x + 1) = 3z{x < z t\ Xi{z) A Vy(a: < y ^ z < y)) 
Xi{x — 1) = 3z{z < X A Xi(z) A yy{y < x ^ y < z)) 
Xi{x)y X2{x) 

3z{x < z A X 2 {z) A Vy(a; < y < z ^ Xi{y))) 

3z{z < X A X 2 (z) A 'iy{z < y < x ^ Xi{y))) 



Finally, given a word w G E°° and a formula p G TL(i?), we define inductively 
the set of position in w where p holds, li p = . . . , pi) where M € B 

is of arity ^ > 0, then 



= {p < |w| I w |=MSO lMj{p^,... ,p'e,p)}. 



Proposition 1. Let p G T\j{Bpptl) = PLTL and w G . Then, 
p^ = {p < licl I w,p hPLTL p}- 



The proof of this proposition is easy and omitted. What is interesting is that 
it exhibits an alternative definition of PLTL using a vocabulary B (with arity) 
and a semantic map |— ]. By varying the vocabulary and the semantic map we 
have a very general way to define temporal logics for words and therefore a 
formal framework to state complexity results for a large class of temporal logics. 
This is exactly what we were looking for. 

For convenience, we summarize below the definition of an MSO temporal 
logics over words. 

Definition 2. We start with a set B consisting of modality names together with 
a mapping arity : i? — >■ N giving the arity of each modality. Then the syntax of 
the temporal logic TL(B) is defined by the grammar 






arity (M) 



M£B 



Consider a mapping |— ] : B — >■ MSOi;(<) such that |M] is an (.-ary MSO 
modality, that is, an MSO formula with ( free set variables Xi, . . . ,Xg and one 
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free individual variable x. Given a word w € and a formula (p € TL(B), the 
semantics is given by the set of position in w where p holds. The inductive 
definition is as follows. If ip = M{pi, . . . , p() where M G B is of arity (■>(), 
then 

= {p < \w\ I w Hmso lMl(pf,... ,pf,p)}. 

We also write w,p \= p for p G p^. 

If we fix the triple (B, arity, |— ]) once for ever, the expressive power of TL(i3) 
is limited. For instance, the expressive power of PLTL is known to be strictly 
weaker than that of monadic second order logic [8] . We can extend its expressive 
power introducing a new modality name even of arity 1 with associated MSO- 
modality 



[even] = (3y(|y| is even AVy(Y(y) gg (Xi{y) Ay> x)))). 

The formula even(a) G TL({even, a}) is satisfied by a word w in position p if 
and only if the word w contains an even number of occurrences of the letter a 
to the right of p. Recall that this property is not expressible in PLTL [8] . 

4 Complexity of Temporal Logics for Words 

In this section, we show that, whatever the finite set B of modality names and 
associated MSO-modalities is, the satisfiability and the model checking problems 
for TL(R) are decidable in PSPACE. 

Satisfiability Problem for TL(R) over Words: Given a formula f G TL(R), does 
there exist a word w G S°° and a position p in w such that w,p \= f ? 

Remark 3. One may also consider initial satisfiability of a given formula ^ G 
TL(i?), i.e., does there exists a word w G such that w, 0 ^ This problem 
can be easily reduced to the general satisfiability. Add a modality name init of 
arity 1 to R with associated MSO-modality |init](Ai,x) = 3y(y < x A Xi(y) A 
y minimal). Now, a formula f G TL(i?) is initially satisfiable if and only if the 
formula init(^) is satisfiable. 

For a word w = aoOi • • • G {0, 1}°°, let supp(w) = {p < |w| | Op = 1} denote 
the support of w. For £ G N, we consider the alphabet = X x {0, 1}^. A letter 
a G Xi will be written a = (oq, ai, . . . , a^) and a word w G Xf° will be identified 
with a tuple of words of same length in the obvious way: w = (wq, wi, . . . , wf) G 
X ({0, 1}°°)^ with \w\ = |w*| for 0 < z < 1 
Recall the following result that can easily be extracted from the proof of 
Biichi’s theorem. 

Theorem 4 ([2]). Let M be an Gary modality name and |M] its associated 
MSO-modality. Then there exists a Buchi- automaton Bm over the alphabet 
such that w = {wq,wi, . . . ,Wi+i) G L{Bm) if and only z/ supp(zc£+i) = {p < 
k| I Wo Hmso M(supp(zz;i), . . . ,supp(zc£),p)}. 
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Proof. Consider the MSO formula 



,Xe+i) = yx{Xe+,{x) ^ . . . ,Xe,x)). 



From the proof of Biichi’s theorem (see e.g. [15]), we find an automaton Bm over 
17^+1 such that a word w = (wg, wi, . . . , W£+i) € £(Bm) if and only if wg ^mso 
|M]( supp(tci), . . . , supp(wf+i)). This is equivalent with supp('u;f+i) = {p < 
k! I Wo Hmso M(supp(wi), . . . ,supp(iC£),p)} by definition of |M], □ 

As examples, we give the automata B\/ and B[j: 



(a, 0,0,0) 




(a, 1,0,1) 


(a, 0,0,0) 


(a, 0,1,1) 


(a, 0,1,1) 


(a, 1,1,1) 


(a, 1,0,1) (a, 1,1,1) (a, 1,0,0) 




^ (a,0,l,l) ^ 




W (a, 1,1,1) W k 1 , 0 , 0 ) 




rr kit kk- 




^ (a, 1,0,1) (a, 0,0,0) ^ 



For formulas p and if, we write p < if ii tp is ei, subformula of if (this 
includes the case p = if). Let ^ be a formula from TL(_B) and let Sub(^) = {(/?€ 
TL(i?) I < ^}. In the sequel, we will consider words over the alphabet S = 
X X {0, Typically, the elements of S are of the form a = {a, 
with a G S and a,p € {0, 1} for tp < f. As above, we identify a word w G X with 
a tuple of words of same length: w = {w, {w,p),p<^) with w G X°° , Wip G {0, 1}°° 
for (/? < ^ and |w| = k| = |w,^|. 

Now let if = M{(pi, . . . ,ipe) < f. Then a\if := {a,a^^,. .. ,a,pi,a,p) G A'^+i. 
Accordingly, ior w G X we let w\if = {w,w,p ^, . . . , G 

The Construction. For a formula (p G TL(i?), let top((^) be the outermost modal- 
ity name of (p. Let Q = Qtop{ip) b® the set of states of the automaton 

where <5top(v) is the set of sFates of the Biichi-automaton ^top((^) • The alphabet 
of is X. For a letter a G X and states p = {Ptp)ip<^ and q = {q<p)(p<^, we have 

a transition p q in ii and only if, for all p> < f, have in the 

automaton Note that a sequence of states p^,p^,. . . defines a run of 

for a word w G X°° if and only if for each (p < f, its projection p° ,p^, . . . on (p 
is a run of Btop(<p) for the word w\(p. A run of is accepting if and only if for 
each p> < its projection on Btop(ip) is accepting. 

Lemma 5. Let w = (w, (w^)^<j) G X^ . Then, w G /^(A^) if and only if for 
each ip < we have supp(ruip) = (p'" = {p < k| | ru,p k 

Proof. Assume w G £(A^). We show that p™ = supp(w^) by structural in- 
duction on p < ^. So let p = M((pi, . . . , (pi) < f such that p“ = supp(ii;(^J 
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holds for 1 < i < ^. Since w is accepted by the automaton the word 
w\(p = {w,w,p^, . . . ,Wcpf,w^) is accepted by Bm- Hence, using Theorem 4 and 
the hypothesis we get 

supp('u;,^) = {p< |w| I w Hmso IM](supp(w,^J,...,supp(w,p,),p)} 

= {p < |w| I w ^MSO 

= ip'^. 

For the other direction, assume that = supp(w,^) for all (fi < C Let (p = 
M{pi,...,pi) < We have = {p < |'u;| | w h=MSO iMKpf , . . . , pf , p)} and 
we get supp('u;,^) = {p < |w| | w |=mso lAL](supp(w<^J, ... ,supp('u;,^J,p)} using 
our hypothesis. Since w\p = . . . ,Wip^,w^p) we deduce from Theorem 4 

that Wfp is accepted by Bm- Since this holds for each p < ^ we obtain w € £(A^). 

□ 



Proposition 6. The formula ^ is satisfiable if and only if there exists w € 
with supp(w^) yf 0. 

Proof. Assume that f is satisfiable. There exist a word w G S°° and a position 
p in ru with w,p |= f. For each p G TL(B), there is a unique word w^ G {0, 1}°° 
with \w\ = \w.^\ and supp(w,^) = p™. Let w = {w, {w^)^p<^) G By Lemma 5 
we get w G £(A^). Moreover, we have p G = supp(w^) yf 0. 

Conversely let w = (w, G £{A{) with supp(w^) yf 0. By Lemma 5 

we get 0 yf supp(ru 5 ) = = {p < |w| | w,p ^ ^}. Therefore, ^ is satisfiable. □ 

Theorem 7. Let B he a finite set of modality names with associated MSO- 
modalities. Then the satisfiability problem for T1 j{B) is in PSPACE. 

Proof. Let f be some formula from TL(i?) whose satisfiability we want to check. 
By Proposition 6, we have to decide whether A^ accepts some word w with 
supp(w^) yf 0. Recall that a state of is a tuple of states from the automata 
Bm whose length is bounded by the size of the formula f. Hence a state of 
requires space polynomial in the size of f and the same holds for any letter 
from B. Given two states q and q' of Aj and a letter a G B, one can check 
in polynomial space whether q q' in A^. Note that the automata Bm are 
fixed and need not be computed. Hence the search for an accepting run can be 
performed by a nondeterministic Turing machine using space polynomial in the 
size of □ 

A Kripke structure is transition system K = (S', — >■, s, cr) with S a finite set 
of states, — >• C S^ the transition function, s G S the initial state and a : S ^ B 
the labeling function. A formula ^ G TL(B) holds in K (written AT |= if for 
all maximal paths sq: si, . . . in AT with sq = s we have <t(so)ct(si) . . . , 0 ^ 

Model Checking Problem for TL(H) over Words: Given a Kripke structure AT 
and a formula ^ G TL(B), do we have AT |= 
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Theorem 8. Let B he a finite set of modality names with associated MSO- 
modalities. Then the model checking problem for T1 j{B) is in PSPACE. 

Proof. Let ^ G TL(B). The formula is in TL(i? U {“'}) and we consider the 
automaton A obtained from by projecting the transition labels to B, i.e., 

p A g in A if there exists d = {a, G E with p A q in Again, a 

state of A can be stored in polynomial space and one can check whether p q 
in A in polynomial space. Therefore, applying the usual technique we get a 
PSPACE algorithm for the model checking problem. □ 

The actual performance of the algorithms for satisfiability and model check- 
ing depend on the basic automata Bm for M G B. For PLTL, these basic au- 
tomata have very few states: Ba for a G B, B^ and By have just one state, B[j has 
three states, and all the other automata have two states. Thus, the automaton 
has at most 2™ ■ 3” states where m is the number of occurrences of temporal 
operators different from U and n is the number of occurrences of U in 



5 Local Temporal Logic over Traces 

We briefly recall some notions about Mazurkiewicz traces (see [6] for back- 
ground). A dependence alphabet is a pair (B,D) where the alphabet A is a 
finite set of actions and the dependence relation D G1 B x B \s reflexive and 
symmetric. 

For a partial order (P, <), let < denote the successor relation < = < \ <^. 
Further, || denotes incomparability, i.e., || = \ (< U >). A (Mazurkiewicz) 

trace is a finite or infinite labeled partial order t = (P, <, A) where P is a set of 
vertices labeled by A : P — >■ A and < is a partial order relation on P satisfying 
the following conditions: 

1. for all y GV, the set fy = {x G V \ x < y} is finite, 

2. X \\y implies {\{x),X{y)) ^ D for all x,y GV, and 

3. x<y implies {\{x),X{y)) G D for all x,y GV. 

The set of all traces is denoted R(A, A). 

We now interpret monadic second order formulas over traces. The semantics 
for traces is defined as for words in Sect. 2. Let t = (P, <,A) be a trace. A 

valuation in t for the formula is now a mapping v that assigns elements of P 

to free individual variables of ip and subsets of P to free set variables of p. The 
definition of satisfaction t, v ^mso T can be taken verbatim from Sect. 2 with 
the only exception that t, v ^mso Pa{x) if and only if X^ix^x)) = a. It should be 
noted that v{x) < v{y) refers now to the partial order of the trace. 

Similarly, the temporal logic TL(i?) is defined as in Definition 2. The only 
difference is that the semantics p^ is now defined for a trace t\ 

p^ = {pGV \ t hMSO {M\{p\,... ,p\,p)} 
and as before, we write t,p\= p for p G p*. 
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In the next section we show that the satisfiability problem and the model 
checking problem are decidable in PSPACE for TL(i?) when B is finite. But 
first, we show that all modalities that were considered so far in local logics for 
traces can be defined in our setting. As a corollary, we get that all local temporal 
logics for traces considered so far are decidable in PSPACE. 

We start with event based temporal logics and will consider later process 
based ones. In addition to the constants S and the boolean connectives -■ and 
V, these logics are build using various temporal modalities described below. 

Universal Until. The simplest logic LocTLi;(EX, U) studied in [4] uses only two 
modalities EX of arity 1 and U of arity 2 (there are some technical subtleties 
about initial modalities or initial satisfiability of a formula that will be discussed 
later) . Intuitively, EX (p means that there is an immediate successor of the current 
vertex where (f> holds. The universal until U claims the existence of a vertex z 
in the future of the current one x such that i/' holds at z and p holds for all vertices 
between x and z. Formally, we have LocTLi;(EX, U) = TL(A U {-•, V, EX, U}) if 
EX and U are defined by the following MSO-modalities. 

|EX] (Xi , a;) = 3z{x < z A Xi{z) A 'iy{x < y < z ^ y = z)) 

|U](Ai, A 2 ,x) = 3z(x < z AX 2 (z) AWylx <y < z ^ Xi{y))) 

The logic LocTLi;(EX, U) is expressively complete with respect to FOi;(<), 
the first order theory of traces if and only if the dependence alphabet is a 
cograph [4]. The satisfiability problem was shown to be PSPACE-complete. 
The hardness follows from the corresponding result on words. The PSPACE 
algorithm is obtained using alternating automata. Though not all details were 
given, the proof of this upper bound was more than 4 pages long in [5]. Since 
LocTLi;(EX, U) = TL(A U {-i, V, EX, U}), it is a trivial corollary of Theorem 9. 

Filtered Until. In order to obtain expressive completeness for arbitrary depen- 
dence alphabets, [7] considered LocTLj;(EX, EY, Uc, S^) where CCA. Com- 
pared to the universal until U, the filtered universal until Uc adds an alphabetic 
requirement on the vertices that are below z but not below x. The modalities 
EY and Sc are the past versions of EX and Uc. We can express this logic in 
our framework, LocTLi;(EX, EY, Uc, Sc) = TL(A U {-i, V, EX, EY, Uc, Sc}) if 
we associate with EY, Uc and Sc the following MSO-modalities. 

|EY](Ai, x) = 3z(z < X A Xi{z) A Vy{z < y < x ^ y = z)) 
|Ucl(Ai, A 2 ,a;) = 3z[x < z A A 2 (z) A Vj/(a; <y < z^ Xi{y)) 

A Vy(y < z A VceC Pc{y) y < x)) 

IScl(Ai, A 2 ,x) = 3z(z < xAX 2 (z) AVy(z < y <x^ -^i(y)) 

A Vy(y < a; A Vcec ^c(y) y < z)) 

In [7], the logic LocTLi;(EX, EY, Uc, Sc) was shown to be expressively complete 
with respect to FOi;(<) for arbitrary dependence alphabets. The satisfiability 
problem was also shown to be decidable in PSPACE using two-way alternating 
automata, the proof being long and non trivial. Again this complexity upper 
bound becomes a trivial corollary of Theorem 9. 
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We say that EX, EY, Uc and Sc are first order modalities because |EX], |EY], 
|Uc] and |Sc] use quantification over individual variables only. The temporal 
logics defined with FO-modalities are thus trivially contained in FOi;(<). We 
will see now a temporal logic using some modalities that are not FO-definable. 

Existential Until. The temporal logic for causality (TLC) was introduced in [1]. 
In our framework, it can be defined by TL{E U {-i, V, EX, EY, Eco, EG, ED, ES}). 
Intuitively, Eco tp claims that tp holds for some vertex concurrent to the current 
one. The formula holds if there is a path starting at the current vertex in 

the Hasse diagram of the trace such that p> holds along the path until ip holds. 
Similarly, EG ip claims the existence of a maximal path in the Hasse diagram of 
the trace, starting from the current vertex, where ip always holds. Finally, ES 
is the past version of ED. Formally, the semantics of TLC is obtained with the 
following MSO-modalities. 

|Eco](Xi, x) = 3z{-<{x < z) A -i(z < x) A -^ 1 ( 2 :)) 

|EU](Xi,df 2 ,a;) = 3z[x < z A X 2 {z) A 3Y{yy{Y{y) Ay < z ^ Xi{y)) A 

y is a maximal totally ordered set contained in px fl \.z)) 
|ES](Xi,Jf 2 ,a;) = 3z{z <x A X 2 (z) A 3Y(Vy(Y(y) Az < y ^ Xi(y)) A 

y is a maximal totally ordered set contained in lx fl Iz)) 
[EGKXi, a.) = 3y(Vy(y(j/) ^ Xfiy)) A 

y is a maximal totally ordered set contained in fa;) 

TLC was proved to be decidable in PSPACE in [1] using a tableau construction. 
Again, this upper bound becomes a corollary of Theorem 9. The expressiveness 
results for TLC were established in [4]. For cograph dependence alphabets TLC 
has the same expressive power as FOi;(<), but due to the claim of the existence 
of a path in the modality ED it is not contained in FO for arbitrary dependence 
alphabets. 

Initial Satisfiability. A given formula ^ G TL(H) is satisfiable over traces if 
there exists a trace t G and some position p in t such that t,p \= 

Since a trace does not necessarily have a unique minimal position, there is no 
canonical way to define initial satisfiability over traces. Two approaches have 
been considered. 

In [4], an initial modality EM ip was introduced with the meaning t ^ EM ip 
if there is a minimal position p in t with t,p\= ip. Then, an initial formula a is 
a boolean combination of initial modalities and the initial satisfiability problem 
is to know whether there exists a trace t G M(y, D) with t \= a. To cope with 
this approach, we associate with EM the MSO modality 

[EMl(Ai, a;) = 3y(Ai(y) A ~^3z{z < y)). 

Then, the formula a G LocTLi;(- • • ) is initially satisfiable over traces if and only 
if the formula a G TL(H) is satisfiable (with |— ]) over traces. 

In [I] a dual approach is taken which can be dealt with in the same way. 
Here, it is said that a a local formula ip is initially satisfiable if there exists a 
trace t such that ip holds at all minimal vertices of t, i.e., t \= ^ EM -up. 
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The other approach used in [3] is to consider rooted traces. Let # ^ 27 
and t = (F, <,A) G K(27, D). The rooted trace associated with t is ^ ■ t = 
{V U {#}, < U ({#} X (tG u {#})), A U (# !->■ #). It is a trace over the alphabet 
27' = 27 U {#} and the dependence relation D' = D\J ({#} x 27) U (27 x {#}). 
Then, we say that a local formula (p G LocTLi;(- • • ) is initially satisfiable if there 
exists a trace t G K(27, B) such that # ■ t,# f= p. To cope with this approach, 
we add a modality name init of arity 1 to i? with associated MSO-modality 

|init](2fi,x) = 3y(Xi(y) A Pp,{y) A\/z{y < z) A\/z{P#{z) -A z = y)). 

Then, the formula p G LocTLi;(- • • ) is initially satisfiable over K(27, D) if and 
only if the formula init(<p) G TL(i7) is satisfiable (with |— ]) over K(27',Z7'). 

Process-Based Modalities. We conclude the section by showing that the temporal 
logic over traces TrPTL introduced by Thiagarajan [13] can also be dealt with 
in our framework. The underlying idea is that the actions of the dependence 
alphabet are executed by independent processes. Communication between these 
processes is possible by the execution of joint actions. Hence, with any action 
a G 27, we associate a nonempty set of processes p{a) C {1, 2, . . . , n} in such a 
way that (a,b) G iA iff p{a) r\p{b) yf 0. This ensures that events performed by 
process i are linearly ordered in any trace t. With this additional information, 
one can define modalities that speak about the location of an action. The logic 
TrPTL is based on modalities pi, Oi and Ui (i G {1, . . . ,n}) of arity 0, 1 and 2 
respectively. 

The semantics given in [13] is that of a global temporal logic. Hence it may 
come as a surprise that we can deal with it in our framework. But actually, 
apart initially, formulas are evaluated at prime configurations, i.e., configurations 
having exactly one maximal element. By identifying a prime configuration with 
its maximal vertex we see that the logic is actually local. Intuitively, pt holds if 
the current vertex is located on process i and Oip means that p holds at the first 
vertex of process i which is not below the current one. Finally, means that 

we have p until i/' on the sequence of vertices located on process i and starting 
from the last vertex of process i which is below the current one. Formally, the 
semantics is defined as follows using the macro Pi{x) = V{c|isp(c)} Pc{x): 

lOi]{Xi,x) = 3y{Xi{y) A Pi{y) A ~^{y < x) A^ziPiiz) -A {z <xV y < z))) 
|Ui](2fi,2f2,a;) = 3y{P^{y) Ay < x A Vz(P*(z) Az<x^z<y) 

A 3z{Pi{z) Ay < z A X 2 {z) 

A \/u{{Pi{u) Ay < u < z) ^ 2fi(u)))) 

TrPTL was proved to be decidable in EXPTIME in [13] using a difficult re- 
sult on gossip automata over traces [10]. As a corollary of Theorem 9, we can 
improve this upper bound to PSPACE. Since the logic TrPTL is defined by FO- 
modalities, it is contained in FOi;(<) but the precise expressive power of TrPTL 
is still unknown. 
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6 Complexity of Local Temporal Logics for Traces 

We want to show that the following problem is decidable in PSPACE. 

Satisfiability Problem for TL(_B) over Traces: Given a formula f G TL(S), does 
there exist a trace t gR{S, D) and some position pint such that t,p\= 

This will be done by a reduction to Theorem 7. For this reason, we first recall 
the relation between words and traces, more details can be found in [6]. 

Let t = (P, <, A) be a trace and let C be any linear extension of < of order 
type at most u). Then we can view (P, C,A) as a word w G S°° . The set of 
linearizations Lin(t) C of t is the set of all words w G S°° that arise in 
this way. Conversely, each word w G is the linearization of a unique trace 
t€R{E,D). 

In the following, we will evaluate MSO formulas over words and over traces. 
To make this clear, we use |=mso traces and Hmso words (though the 
context is sufficient to distinguish between the two) . There exists a FO formula 
r]{x,y) with two free individual variables such that for all traces t G 
words w G Lin(t) and vertices p,q & V, we have t |=mso P ^ 9 if only if 
lu |=Mso ^(P’ l)- T MSO formula. We denote by p the MSO formula 
obtained by replacing in tp any subformula of the form a; < y by rj{x,y). Then, 
we have for all traces t G M(i7, O), words w G Lin(t) and valuations iz in P, 
^ Hmso T if and only if w, v Hmso T- 
After these preliminary remarks, fix some set B of modality names together 
with their arity function and associated MSO-modality defined by the mapping 
|— ] : B — >• MSOi;(<). This defines a temporal logic TL(B) whose interpre- 
tation over traces with |— ] is denoted h|-]- We also consider the mapping 

|— ] : B — >• MSOi;(<) so that for M € B, |M] is obtained by replacing in |M] 
any subformula of the form a; < y by rj{x,y). The interpretation of TL(i3) over 
words with |— ] is denoted H-pj- We obtain the following essential link between 

the two semantics: for all ^ G TL(i3), for all traces t G K(A7, £>), all words 
w G Lin(t) and all positions p in t, we have t,p H|-j C if if 

Therefore, the formula f is satisfiable over traces with the MSO-modalities 
|— ] if and only if it is satisfiable over words with the MSO-modalities |— ]. Since, 
by Theorem 7, this latter question is decidable in space polynomial in the size 
of we obtain the following 

Theorem 9. Let (A, D) be a dependence alphabet, B a finite set of modal- 
ity names with associated MSO-modalities. Then the satisfiability problem for 
TL(i?) over traces is decidable in PSPACE. 

We turn now to the model checking problem. In order to give its definition, 
we first introduce asynchronous Kripke structures. We need to fix some notation. 
Let Loc be a finite set of locations and let Qi be a finite set for each i G Loc. 
We let Qi = Hig/ Qi for I C Loc and if y = (yi)igLoc G Qloc then we let 
qi = {qi)iei for I C Loc. An asynchronous Kripke structure (AKS for short) is 
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a tuple AK = ((Qi)ieLoc, (<5/)/cloc, q°, (o-i)ieLoc) where Q* is a finite set of local 
states for process i, Sj C Qi x Qj is a local transition relation, G Qloc is 
the global initial state, and ai : Qi ^ 2 ^^* assigns to each local state the set of 
atomic propositions from the finite set APj that holds in this states. 

A run of AK is (an isomorphism class of) a labelled partial order p = (V, < 

, £, W) where a vertex v G V represents the occurrence of a transition, < is the 
ordering between transitions, £ : V ^ \ {0} gives for each transition v the 

nonempty set £{v) of processes taking part in it and W assigns to each transition 

V G V the tuple W{v) G Qe(v) of updated states for the processes in £{v). We 
require that 

1. for all V gV, the set 4,v = {m G K | u < u} is finite, 

2. M II u implies £{u) fl £(v) = 0 for all u,v gV, and 

3. u<v implies £{u) fl £{v) yf 0 for all u,v GV. 

This implies in particular that two transitions cannot read or write simul- 
taneously the same process. Finally, the transition relations of AK must be 
satisfied: for v G V, let R{v) = be defined by Ri{v) = < 7 ° if 

{u < V \ i G £{u)} = 0 and Ri{v) = Wi(max({'u < v \ i G £(m)})) otherwise. 
Then, we must have {R{v), W{v)) G for all v GV. 

li p = (y, <, £, W) is a run of AK and C/ C K is such that U = ].U = {u G 

V \ V < u for some u G U} then the restriction ([/, <,£, W) oi p to U is also a 
run of AK which is called a prefix of p. A run of AK is maximal if it is not a 
strict prefix of some other run of AK. 

Without loss of generality, we may assume that ai(qi) yf 0 for all qi G Qi and 
that the sets AP^ are pairwise disjoint. Let AP = l+JjgLot, AP^ and S = 2^^ \{0}. 
For a G S we let loc(a) = {i G Loc | AP^ fla yf 0}. The dependence relation over 
S is defined by (a, b) G D if loc(a) fl loc(&) yf 0. With each run p = (V, <, £, W) 
of AK we associate t{p) = (P, <,A) where \{v) = Uie^(w) 
hard to see that t{p) is a trace over (A, D). 

An asynchronous Kripke structure AK satisfies a temporal formula ^ G 
TL(i?) (AK 1= if, for any maximal run p of AK, we have # • r(p), # H C- 

Model Checking Problem for TL(B) and AKS: Given an asynchronous Kripke 
structure AK and a formula ^ G TL(B), do we have AK \= 

Theorem 10. Let (AP^jigLoc and (S,D) be as above. Let B be a finite set of 
modality names with associated MS O -modalities over the alphabet A. Then the 
model checking problem for TL(i?) and AKS is decidable in PSPACE. 

Proof Let AK = ((ftjigLoc, ((^/j/cLoc, 9°, (<^i)*eLoc) be an AKS. We define an 
associated sequential (global) Kripke structure K = {S, S, sq, cr). The set of global 
states is S' = Qloc x 2^°^^ and sq = (g°,Loc) is the initial global state. The 
transition relation S C S x S is defined by {{p, I), {q, J)) G <5 if J yf 0, {pj, qj) G 
5j and p-j = q-j where J = Loc \ J. Finally, the labelling ct : S — >■ A is given by 

yqJ) = 

Runs of K correspond to linearizations of runs of AK. More precisely, let 
p = {V,<,£, W) be a run of AK and let V be any linear extension of < of order 
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type at most u>. We can write V = {vi,V 2 , ■ • ■ } with v„-i □ We define a 
sequence of global states Sn = {q^,In) by Iq = Loc and for n > 0, /„ = i(vn), 
qj = W{vn) and q^ = q^^ ■ Then, sqSi • • • is a run of K which is a linearization 
of p. Moreover, the word cr(so)cr(si) . . . G is a linearization of the trace t{p). 
Conversely, any run of it" is a linearization of some run of AK. 

For the model checking problem, we are interested in maximal runs. Clearly, 
a linearization of a maximal run of AK is a maximal run of K. Conversely, a 
maximal finite run of AT is a linearization of a maximal finite run of AK. Now, 
an infinite run Loc)(g^, /i)(( 7 ^, / 2 ) . . . of iC is a linearization of a maximal 
run of AK if and only if eventually, there is no enabled transition involving a 
set of processes that participate in finitely many transitions of the run: there 
exists N > 0 such that for all 0 yf </ C Loc with J In = % for all n > N, we 
have ^ Qj) C = 0. We call a run of K accepting if it is either finite 

and maximal or infinite and satisfies the above condition (which by the way can 
be described with a Muller table). Hence, accepting runs of K correspond to 
maximal runs of AK. 

Now, let ^ G TL(H). We use the notation introduced for the satisfiability. 
Then AK |=|_| C if only if for all accepting runs SoSi ... of AT we have 
cr(so)cr(si)... ,0 C- Therefore, we are reduced to a model checking problem 
of a Kripke structure K with some acceptance condition on infinite runs. 

Note that a state of K can be stored in space polynomial in the size of AK. 
Also, the same space bound suffices to decide whether a pair of states (s, s') 
forms a transition of AT and to compute cr(s). Finally searching for a loop that 
satisfies the acceptance condition can also be done in space polynomial in the size 
of AK. One just has to guess at the beginning of the loop the set J of processes 
that will not participate in the transitions of the loop. This guess is easy to 
check within the polynomial space bound as well as the fact that no transition 
involving a set of processes contained in J is enabled at the beginning of the 
loop. Therefore, using for ^ (interpreted with |— ]) the technique described in the 
proof of Theorem 8, a slight modification of the usual model checking procedure 
allows to solve our problem in PSPACE. □ 

The theorems above show that for any of the local temporal logics introduced 
in Sect. 5, the satisfiability and the model checking problems become decidable 
in PSPACE. For some of these logics, this result was known, for TrPTL [13], it 
seems to be new. 

7 Generalizations 

The framework of MSO-definable local temporal logics extends verbatim to more 
general partial orders than Mazurkiewicz traces. The difficulty is to find reason- 
able classes of partial orders such that complexity results can be obtained for 
the satisfiability and the model checking problems. For instance, we can show 
that for the class of all Message sequence charts (MSCs), the satisfiability for 
a very restricted local temporal logic (namely, a small fragment of TLC“) is 
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undecidable. On the other hand, there are natural subclasses of MSCs for which 
the satisfiability problem is decidable in PSPACE. These results will appear in 
a forthcoming paper. 
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Abstract. The equivalence checking of systems that are given as a 
composition of interacting finite-state systems is considered. It is shown 
that the problem is EXPTIME-haid for any notion of equivalence 
that lies between bisimulation equivalence and trace equivalence, as 
conjectured by Rabinovich (1997). The result is proved for parallel 
composition of finite-state systems where hiding of actions is allowed, 
and for 1-safe Petri nets. The technique of the proof allows to extend 
this result easily to other types of ‘non-flat’ systems. 

Keywords: equivalence checking, finite-state systems, complexity 



1 Introduction 

One problem that naturally arises in the area of automatic verification of systems 
is the problem of equivalence checking. This problem can be stated as follows: 
given two descriptions of labelled transition systems, decide if the systems behave 
equivalently. 

Many different types of equivalences were proposed in the literature, and 
some of the most prominent were organized by van Glabbeek [10] into linear 
time - branching time spectrum. All these equivalences lie between bisimulation 
equivalence (which is the finest of these equivalences) and trace equivalence 
(which is the coarsest). 

We call a finite transition system that is given explicitly a flat transition 
system. A non-flat system is a system given as a composition of interacting 
flat systems. The set of global states of a non-flat system can be exponentially 
larger than the sum of sizes of its parts. This phenomenon is known as a state 
explosion and presents the main challenge in the design of efficient algorithms 
for verification of non- flat systems. 

Overview of Existing Results. Rabinovich [6] considered a composition of finite- 
state systems that synchronize on identical actions and where some actions may 

* This work was sponsored by the Grant Agency of the Czech Republic, Grant 
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be ‘hidden’ in the sense that they are replaced with invisible t actions. He 
proved that equivalence checking is PSPACE-hard for such systems for any re- 
lation between bisimilarity and trace equivalence, and that the problem is EX- 
PSPA CE-complete for trace equivalence. He also mentioned that the problem is 
EXPTJME-complete for bisimilarity and conjectured that the problem is in fact 
EXPTIME-hard for any relation between bisimilarity and trace equivalence. 

Laroussinie and Schnoebelen [5] approved the Rabinovich’s conjecture for 
all relations that lie between bisimilarity and simulation preorder. The non- 
flat systems, used in their proof, synchronize on identical actions and do not 
use hiding. It is not possible to extend their result to all equivalences between 
bisimilarity and trace equivalence, because for example trace equivalence can be 
decided in PSPACE for this model, as was proved in [8]. See also [9] for results 
for other types of ‘trace-like’ equivalences and non-flat systems. Other type of 
non-flat systems are 1-safe Petri nets. See [4] for some results concerning them, in 
particular, deciding of bisimilarity is EXPTJME-complete for 1-safe Petri nets. 

Our Contribution. The Rabinovich’s conjecture is approved in this paper for 
all relations between bisimilarity and trace preorder, not only for relations be- 
tween bisimilarity and simulation preorder. We show that equivalence checking 
is EXPTIME-hard for any such relation if the considered model is a parallel 
composition of finite-state systems with hiding, the model for which Rabinovich 
formulated his conjecture in [6]. 

To simplify the proof, a new auxiliary model called reactive linear bounded 
automaton (RLBA) is introduced in this paper. Reactive linear bounded au- 
tomata can be easily modeled by different types of non-flat systems, for example 
by parallel compositions of finite-state systems with hiding, or by 1-safe Petri 
nets. The EXPTJME-hardness result is shown for RLBA first, and then it is 
extended to other types of non-flat systems that are able to model RLBA. 

From the construction in the proof we also obtain a simpler proof of the 
result, shown in [7], that equivalence checking is PTJME-hard for flat systems 
for every relation between bisimilarity and trace preorder. 

Overview of the Paper. Section 2 contains some necessary definitions. The out- 
line of the proof is presented in Sect. 3. Reactive linear bounded automata are 
introduced in Sect. 4, together with the description how they can be transformed 
into other non-flat systems. The proof of PTJME-hardness of equivalence check- 
ing in case of flat systems is presented in Sect. 5. The construction in this proof 
forms a base of the more complicated construction described in Sect. 6 where we 
show that equivalence checking is EXPTIME-hard for reactive linear bounded 
automata. 

2 Basic Definitions 

2.1 Labelled Transition Systems 

A labelled transition system (LTS) is a tuple T = (S', A, — >■) where S is a set of 
states, A is the finite set of actions, and — >C S x {AU {r}} x S is a transition 
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relation where t ^ A is & special invisible action. We write s — >■ s' instead 
of (s, a, s') € — Only finite-state LTSs where S is finite are considered in this 
paper. 

An LTS T = {S, A, — >■) where S, A and — >■ are given explicitly is called 
flat system (FS) and the size \T\ of FS T is lA] -I- |A| + | — |. 

More complicated LTSs can be created from FSs by parallel composition and 
hiding. In the parallel composition a visible action a is executed iff every LTS 
that has a in its alphabet executes it. Invisible actions are not synchronized, 
that is, when an LTS executes the invisible action t, other LTSs do nothing. 
Formally, the parallel composition 7i || • • • || 7^ of LTSs 7i, ■ ■ ■ ,Tn where 7) = 
{Si, Ai, — >i) for each i € I where I = {!,..., n}, is the LTS (S', A, — where 
S = Si X • • • X S„, A = A\\J ■ ■ ■ L)An, and (si, . . . , s„) (s'l, . . . , s'^) iff either 

— a G A and for every i G I: if a £ Ai, then Si — ^ s'^, and if a ^ Ai, then 

s* = s', 

— a = T and for some i £ I is Si — ^ s' and Sj = s'j for each j £ I such that 

j i- 

Tuples from Si x • • • x S„ are called global states. In this paper only binary syn- 
chronizations are needed, where any a £ A belongs to at most two different Ai- 

Hiding of actions removes a set of visible actions from the alphabet of an 
LTS and relabels corresponding transitions with the invisible action r. Formally, 
hide B in T\, where 7i is an LTS (Si, Mi, — >-i) and B C A\, denotes the LTS 
(S, M , — >) where S = Si, A = Ai — B, and s s' iff there is some a' £ 

(Ml U {t}) such that s s' and either a ^ B and a = a' or a' £ B and a = t. 

A parallel composition with hiding (PCH) is an LTS T given in the form 
hide B in {Ti \\ ■■■ \\ Tn) where Ti, ■ ■ ■ ,Tn are FSs. The size |T| of PCH T is 
|7l| H h \Tn\ + \B\. 

Other type of non-flat systems are 1-safe Petri nets. A labelled net is a tuple 
M = {P,T, F, X), where P and T are finite sets of places and transitions, F C 
(S X T) U (r X S) is the flow relation, and A : T — >• M is a labelling function 
that associates to each transition t a label \{t) taken from some given set of 
actions M. Pairs from F are called arcs. We identify F with its characteristic 
function {P x T) U {T x P) -£ {0, 1}. A marking is a mapping M : P — >■ N. 
A labelled Petri net is a pair N = {M , Mfl) where Af is a labelled net and Mq 
is the initial marking. A transition t is enabled at a marking M ii M{p) > 0 
for every p such that {p, t) £ F. If t is enabled in M, then it can fire and its 
firing leads to the successor marking M' which is defined for every place p by 
M'{p) = M{p) F{t,p) — F{p,f). Given a G M, we denote by M M' that 
there is some transition t such that M enables transition t, the marking reached 
by the firing of t is M', and \{f) = a. A Petri net is 1-safe if M{p) < 1 for every 
place p and every reachable marking M. 

Let T = (S', M, — >■) be an LTS. A trace from s £ S is any w = a\ ... an £ A* 
such that there is a sequence sq, si, . . . , s„ £ S where sq = s and Si_i Si 
for every 1 < i < n. The set of all traces from s is denoted Tr{s). States s,s' 
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are in trace preorder, written s Qtr s', iff Tr(s) C Tr(s'). States s,s' are trace 
equivalent iff s Qtr s' and s' Qtr s. 

A bisimulation over T is any relation TZ C S x S satisfying the following two 
conditions for each s,t G S such that sTZt: 

— if s — ^ s' for some s', then t — ^ t' for some t' such that s'TZt', and 

— if t — ^ t' for some t', then s — ^ s' for some s' such that s'TZt'. 

(It is said that s s' is matched by t t' , resp. t t' by s s' .) States 

s, s' are hisimilar, written s ~ s', iff there exists some bisimulation TZ such that 
sTZs' . 

Let TZ be some binary relation defined over states of LTSs, such that s ^ s' 
implies sTZs' , and sTZs' implies s \^tr s', i.e., ~C TZ The problem fs-eQt^ 

is defined as: 

Instance: An FS T and its two states s and s' . 

Question: Is s7?.s' ? 

the problem pch-eQt^ as: 

Instance: A PCH T and its two global states (si, . . . , s„) and (s'^, . . . , s(j). 
Question: Is (si, . . . , s„) 7^ (s'^, . . . , s'„) ? 

and the problem pn-eQt^ as: 

Instance: A labelled net N with two markings M, M' , such that {N , M) 
and {Af, M') are 1-safe Petri nets. 

Question: lsMTZM'7 

The main results of the paper show that fs-eQt^ is PTIME-hard, and 
pch-eQt^ and pn-eQt^ are EXPTIME-hard for any TZ satisfying ~C TZ 

2.2 Alternating Graphs 

In the proof of PTJMB-hardness of fs-eQt^ we show a logspace reduction from 
the Alternating Graph Problem (agp) that is known to be PTJME-complete, see 
for example [2]. The definition of this problem follows. 

An alternating graph is a directed graph G = {V, E, t) where P is a finite set 
of nodes, P C P x P is a set of edges, and t:P— >-{A,V}isa labelling function 
that partitions P into sets Pa and Py of disjunctive and conjunctive nodes. The 
set of successors of a node v, i.e., the set {u' G P | {v,v') G E}, is denoted by 
a{v). 

The set of successful nodes IP is the least subset of P with the property that 
if a node v is conjunctive and all nodes from a(v) are in IP, or disjunctive and at 
least one node from a{v) is in IP, then v also belongs to IP. AGP is the problem 
whether a given node is successful: 

Instance: An alternating graph G = (P, E, t) and a node v £ V. 

Question: Is v successful? 
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Let V{V) be the power set of V. Notice that W is the least fixed point of a 
function / : P(V) — >■ P(V) where for U QV is v € f{U) iff either v G V/\ and 
(Vt>' G a{v) : v' G U), or v G Vy and (3u' G a{v) : v' G U). 

Let us have a node that has no successors. If this node is conjunctive, it is 
called an accepting node, and otherwise it is called a rejecting node. Notice that 
accepting nodes are always successful, rejecting nodes are never successful, and 
that W is nonempty iff G contains at least one accepting node. 

2.3 Alternating Linear Bounded Automata 

In the proof we use a logspace reduction from a well known EXPTIME-complete 
problem that is called ALBA-ACCEPT in this paper. It is a problem of deciding if a 
given alternating linear bounded automaton accepts a given word. Its definition 
follows, see [1] for further details. 

A linear hounded automaton (LBA) is a tuple A = (Q, E, r,S, qo,qacc,Qrej), 
where Q is a set of control states, E is an input alphabet, T is a tape alphabet, 
^ ^ i,Q {^acc j qrej ^ P ^ Q ^ P ^ ^ } is a Set of transitions, qo 1 Qacci Qrej ^ 

Q are an initial, accepting and rejecting state. The alphabet E contains left and 
right endmarkers h and H. 

A configuration of A is a triple a = {q, w, i) where q is the current state, 
w = aiQ 2 ■ ■ - On is the tape content, and 1 < f < |rt;| is the head position. Only 
configurations where w = hruM and endmarkers do not occur in w' are allowed. 
The size |a| of a is |w|. A configuration a' = {q',w',i') is a successor of a = 
(g, w, i), written ah^a' (or just aha' when A is obvious), iff (q, a, q', a', d) G 6, 
w contains a on position i, i' = i + d, and w' is obtained from w by writing a' on 
position i. Endmarkers may not be overwritten, and the machine is constrained 
never to move left of the h nor right of the H. Notice that when aha', then 
|a| = \a'\. The initial configuration for an input w G E* is aini{w) = {qo, hwH, 1). 
A configuration is accepting iff g = gaco and rejecting iff g = qrej- 

An alternating LBA (ALBA) is an LBA extended with a function I : Q ^ 
{A, V} that labels each state as either conjunctive or disjunctive. We extend I 
to configurations in an obvious manner and so also configurations are labeled 
as conjunctive and disjunctive. A configuration is successful iff it is either ac- 
cepting, or disjunctive with at least one successful successor, or conjunctive with 
all successors successful. An ALBA A accepts an input ic G 21* iff aini(w) is 
successful. 

The problem ALBA- ACCEPT is defined as: 

Instance: An ALBA A and a word w G E* . 

Question: Does A accept w? 

Notice that there is a close relationship between AGP and ALBA-ACCEPT. 
A computation of an ALBA can be viewed as an alternating graph where suc- 
cessful nodes correspond to successful configurations. The size of this graph can 
be exponentially larger than the size of the corresponding instance of ALBA- 
ACCEPT. 
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3 Outline of the Proof 

Reactive linear bounded automata (RLE A) are introduced in Sect. 4 and it is 
shown that they can be modeled by other types of non-flat systems, in particular 
by PCH and by 1-safe Petri nets. An RLE A is similar to a usual LEA, but is 
intended to generate an LTS, not to accept or reject an input. The equivalence 
checking problem where the instance is an RLEA and two of its configurations 
is denoted RLBA-eq^^ in this paper. 

The main technical result of the paper shows that RLBA-eQt^ is EXPTIME- 
hard for any relation TZ satisfying TZ From this follows EXPTIME- 

hardness of equivalence checking for every model that is able to model an RLEA. 

To show EXPTJME-hardness of RLBA-eQt^, we present a logspace reduction 
from ALBA- ACCEPT. The construction in the proof is based on a simpler con- 
struction that can be used to show PTJME-hardness of fs-eQt^. This simpler 
construction is presented in Sect. 5, where we show a logspace reduction from 
AGP to the complement of fs-eQt^ that works for any TZ such that ~C TZ 
The basic idea is to construct an LTS with two distinguished states s, s', such 
that s %tr s' if the answer to the original problem is yes, and s ~ s' otherwise. 
The same construction can be used for every TZ, because s %tr s' implies that 
not sTZs' , and s ^ s' implies sTZs' . The same idea was also used for example 
in [3] and [6]. We can conclude that the complement of fs-eQt^ is PTJME-hard 
for any TZ, and so also fs-eQt^ is PTJME-hard because PTIME is closed un- 
der complement. PTJME-hardness of fs-eQt^ was already proved in [7], but the 
reduction presented here is simpler. 

Now consider ALBA-ACCEPT, a well known EXPTJME-complete problem. 
A computation of an ALEA can be viewed as an alternating graph, where suc- 
cessful nodes correspond to successful configurations, and this allows us to ‘shift’ 
the previous result ‘higher’ in the complexity hierarchy. We will construct an 
RLEA that will model the LTS which we would obtain when we would apply 
the above mentioned reduction to the alternating graph corresponding to the 
computation of the ALEA. Moreover, logarithmic space will be sufficient for the 
construction of this RLEA from the instance of ALBA-ACCEPT. 

4 Reactive Linear Bounded Automata 

Reactive linearly bounded automata are introduced in this section. A reactive 
linear hounded automaton (RLEA) is like a usual LEA, but it has special control 
states, called reactive states, where it can perform actions from some given set 
of actions A. Only the control state is changed after performing such actions, 
neither the tape content nor the head position is modified. The other control 
states are called computational and RLEA performs steps as a usual LEA in 
them. Each such step is represented as the invisible action r. 

Formally, an RLEA is a tuple B = {Q,P,5,A,l, — >■}, where the meaning 
of Q, r and 6 is the same as in a usual LEA, A is the finite set of actions, 
the function I : Q ^ {r, c} partitions Q into sets Qr and Qc of reactive and 
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computational states, and — >-C x (^U{t}) x Q is the transition relation (we 

write q q' instead of {q, a, q') G — >■). It is also required that if (g, b, q', b', d) £ 
6 then q £ Qc- The definition of a configuration and a successor relation is the 
same as for a usual LBA. 

An RLBA B generates an LTS T{B) = (S', A, — >■), where S is the set of 
configurations of B, and {q,w,i) — % {q',w',i') iff either q £ Qc, {q,w,i) h 
{q', w', i') and a = t, or q £ Qr, q — ^ q', w = w' and i = i' . 

For each TZ, such that ~C TZ we can define the problem rlba-eQt^: 

Instance: An RLBA B and its two configurations a, a' of size n. 
Question: Is aTZa'l 

An RLBA with a configuration of size n can be easily modeled by various 
non- flat systems, as two following lemmas show. 

Lemma 1. There is a logspace reduction from rlba-eQt^ to pch-eQt^. 

Proof. Let us have an RLBA B and two its configurations of size n. We construct 
a PCH T of the form hide B in {% \\ Ti \\ ■■■ \\ Tn) which models the LTS 
generated by B. In particular, Tc models the control unit, and Ti, ■ ■ ■ ,Tn model 
the tape cells of B. A state of % represents the current control state and head 
position, and a state of % represents the symbol on the i-th position of the tape. 

Let I = {1, . . . , n} be the set of all possible positions of the head. For each 
i £ I is Ti = {SijAi, — >-i) where Si = P, Ai = {{b,b',i) | 6, &' G P}, and — >i 

contains transitions b p for each &, b' £ P. 

lnTc= {Sc, Ac, — >c) is Sc = {(g, i) \ q £ Q,i £ 1} and Ac = AuAoU- ■ -UAn 
(w.l.o.g. we can assume that AC\Ai = 0 for each t G /). To — we add for each 

{q, b, q' , b' , d) £ 5 and i £ I, such that i + d £ !,& transition {q, i) l^qf i-\-d), 

and for each q £ Qr, q' £ Q, a £ {Act U {r}) and i £ I where q q' we add a 
transition {q,i) {q',i)- 

The set in T is defined as U • • • U A„. Each configuration a = 
{q, 0102 • • • a„, i) has a corresponding global state g{a) = {{q, i), oi, 02 , . . . , o„). 
As can be easily checked, a a' in B iff g{a) g{o:') in T, and so aTZa' in 
B iff g{a)TZg{a') for any TZ such that ~C TZ It is obvious that T can be 

constructed from R in a logarithmic space. □ 

Lemma 2. There is a logspace reduction from RLBA-eQt^ to pn-eQt^. 

Proof. Let us have an instance of RLBA-eQt^, i.e. an RLBA B and two of its con- 
figurations of size n. We construct a labelled net as follows. Let I = {!,..., n}. 
The set of places will be Q U {(o, i) \ a£P,i£l}\Jl. 

For each {q,b,q' ,b' ,d) G 5 and i £ I where q £ Qc and i + d £ I we add 
a transition t = {q, b,q' ,b' ,i,i + d) labelled with t together with incoming arcs 
{q, t), {{b, i),t), and {i, f), and outgoing arcs {t, q'), {t, {s', i)), and {t, i + d). 

For each q,q' £ Q and a £ {A U {t}) where q £ Qr and q q' we add a 
new transition t = {q, a, q') labelled with a together with an incoming arc {q, t) 
and an outgoing arc {t, q'). 
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For a configuration a = {q, aiU 2 ■ ■ ■ an, i} we define a corresponding marking 
Ma where (p) = 1 if p is g, i, or {aj , j) where j G I, and (p) = 0 otherwise. 
It is easy to check that a — ^ a' iff ^ Mo,'- □ 

5 Construction for Flat Systems 

A logspace reduction from AGP to the complement of fs-eQt^ is presented in this 
section. For a given alternating graph G = (V, E, t) with a distinguished node x 
we construct a corresponding LTS 7g = {S, A, — with two distinguished states 
s,s' £ S such that s %tr s' if x is successful, and s ~ s' otherwise. 

The set of states S is V. For each v £ V we define a set of corresponding 
actions Act{v). If u G Ia, then Act{v) = {(v)}, and if u G ky, then Act(v) = 
{(v,i) I 1 < i < |cr(u)|}. The set of actions A is assume w.l.o.g. 

that successors of each node are ordered in some fixed order. The f-th successor 
of V where i £ |cr(u)|} is denoted by ai{v). 

The transition relation contains transitions of three types: 

1. V V for each v £V and a £ A such that a ^ Act{v). 

2. V v' for each v £Vy and i £ |cr(u)|} where v' = (Ji{v). 

(u) 

3. V — u' for each v £ V, u £ and u' £ V such that u' £ a(u). 

We may assume w.l.o.g. that G contains at least one rejecting node z. The 
instance of fs-eQt^ then consists of 7g and states z and x, where x is the 
distinguished node from the instance of AGP. 

Proposition 3. If v £ V is not successful then z ~ u. 

Proof. It is sufficient to show that {{z,v) \ v £ {V — IF)} U W is a bisimulation 
{Id denotes the identity relation {(u,u) | v £ F|). Let us consider some pair 
(z, v) where v £ (V — IF), and a transition v —>■ v' . This transitions is either of: 

— type 1 and then it is matched by z ^ of type 1, because Act{z) = 0 and 
so z — ^ z for every a £ A, 

— type 2 and then v £ Vy and because v is unsuccessful, each v' G cr(u) is also 
unsuccessful, and so v y' is matched by z — ^ z, 

— type 3 and then it can be matched by z — > v' of type 3. 

Now consider a transition of the form z — ^ z'. It is of: 

— type I and then z' = z and either a ^ Act{v), and z — % 2 : is matched by 
V — ^ y of type 1, or a G Act{v) and there are two possibilities: 

• if u G Fv then each v' £ a{v) is unsuccessful since v is unsuccessful, and 
so z z can be matched by v y' of type 2, 

• if V G Fa then there is at least one unsuccessful v' £ (t{v), and so z z 
can be matched by v y' of type 3, 

— type 2, but this is not possible as Act{z) = 0, 
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type 3 and it can be matched by v — z' of type 3. 



□ 



Proposition 4. There is w & A* such that if v € V is successful, then w ^ 
Tr{v). 

Proof. As W can be computed as the least fixed point of /, we can define a 
sequence Wq Q Wi C W 2 C • • • of subsets of W where Wq = 0 and Wi+i = f{Wi) 
for i > 0. For each v G W there is some least i such that v G Wi. This i is denoted 
rank{v). Let m = \W\, and let vi, U 2 , ■ • ■ , fm be the nodes in W ordered by their 
rank, i.e., if f < j then rank{vi) < rank{vj). 

Let us consider a word Wm = amOm-i • ■ ■ a\ where = {vi) if Vi G Vf,, and 
if Vi G Vy then = {vi, k) where we choose k such that v' = (Jk{vi) is successful 
and rank(v') < rank{vi) (obviously there is at least one such v'). We show that 
Wm ^ Tr(y) for any successful node v. In particular, for each i < m we show 
that Wi = OiOi-i ■ ■ ■ ai ^ Tr{vj) if j < i. We proceed by induction on i and in 
the proof we use the following simple observation: Wi ^ Tr{v) iff for each v' such 
that V v' is Wi-i ^ Tr{v'). 

The base case (i = 0) is trivial. In the induction step we consider i > 0 and 
show that the proposition holds for every Vj where 1 < j < i. 

If Vi G Vy then Oi = {vi, k). Any transition of the form Vj v' is either of 
type I, and then v' = vj and j < i, and by induction hypothesis Wi-i ^ Tr{v'), 
or of type 2, and then v' = Uk{vi), so v' is successful and rank{v') < rank{v), 
and by induction hypothesis Wi-\ ^ Tr{v'). 

If Vi G Va then Oi = (vi). Any transition of the form vj v' is either of 
type 1, and then v' = vj and j < i, and by induction hypothesis Wi-i ^ Tr{v'), 
or of type 3, and then v' G cr{vi) and so v' is successful and rank{v') < rank{vi), 
so by induction hypothesis Wi-\ ^ Tr{v'). □ 

Notice that ^ z for each a G A, because Act{z) = 0, and so Tr{z) = A*. 
From this and Proposition 4 we have that z %tr a; if x is successful. On the other 
hand, from Proposition 3 we have that z ~ x if x is not successful, and so the 
described construction is correct. 

The described reduction can be obviously performed in a logarithmic space. 
Since the problem AGP is PTJME-complete and PTIME is closed under comple- 
ment, we obtain the following result: 

Lemma 5. fs-eQt^ is PTIME-hard for any TZ such that TZ 



6 Construction for Non-flat Systems 

The description of the reduction from ALBA-ACCEPT to the complement of 
rlba-eQt^ consists of several steps that are summarized in the following fig- 
ure where fs-eQt^ and rlba-eQt^ denote the complements of fs-eQt^ and 
rlba-eQt^: 
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ALBA-ACCEPT ® RLBA-EQ^j 

{A, Wo) LOGSPACEred. (B) 

I ; 

I 

( 2 ) : ~ ( 5 ) 

I : 

1 

AGP 5:'^ ^ FS-EQ,j ^ FS-EQtj 

(Ga) LOGSPACEred. (7-^) (7-^) 



The reduction (1) from AGP to fs-eQt^ can be applied to the alternating 
graph Ga that corresponds (2) to the ALBA A in the instance of ALBA- ACCEPT. 
We obtain an LTS Ta- From the instance of ALBA- ACCEPT we construct (3) a 
RLBA B that models Ta in the sense, that after we apply a certain kind of trans- 
formation (4) to Ta, we obtain an LTS Ta bisimilar (5) with B. It will be proved 
that the transformation (4) preserves some important properties, in particular, 
states that were bisimilar are bisimilar after the transformation, and states that 
were not in trace preorder are not in trace preorder after the transformation. 
Bisimilarity (5) implies that the same is true for corresponding configurations 
of B, from which the correctness of the construction (3) follows. The EXPTIME- 
hardness of rlba-eQt^ implies the EXP TJME-hardness of RLBA-eQt^ since EX- 
PTIME is closed under complement. 

The rest of the paper is devoted to the description of a logspace reduction 
from ALBA-ACCEPT tO RLBA-EQt^. 

Let an ALBA A = {Q, X, T,6, qo,Qacc,Qrej) with a word wq € X* be an 
instance of ALBA- ACCEPT. We can assume that transitions in S are ordered and 
that this ordering determines the order of successors of a configuration. For 
simplicity we can assume w.l.o.g. that each configuration of A, which is not 
accepting nor rejecting, has exactly two successors, and that l{qacc) = A and 
l{qrej) = V. Let Conf be the set of all configurations of A of size n = |wo| + 2, 
and let Conf a, Conf/, and Confrej be the sets of conjunctive, disjunctive, and 
rejecting configurations of size n, respectively. Notice that any configuration 
reachable from «o = oiini{wo) is of size n. 

The ALBA A has a corresponding alternating graph Ga = {V,E,f), where 
V = Conf, {a, a') G E iff a h a', and t{a) = l{a) for each a G Conf. Notice 
that a configuration a is successful in A iff the node a is successful in Ga, and 
that A accepts w iff the node «o is successful. 

When we apply the logspace reduction described in Sect. 5 to Ga with a node 
af), we obtain the LTS Ta = {Sa,Aa, — >-a), where Sa = Conf, Act{a) = {(a)} 
for each a G Conf a, Act{a) = {{a,i) \ i G {1,2}} for each a G Conf/ — Confrej, 
Act{a) = 0 for each a G Confrej, Aa = [JasConf Act{a), and — >a contains the 
following transitions for each a G Conf: 

1. a a for each x G (Aa — Act(a)), 

2. a ^—^A a' if a G Confy, and a' is the i-th successor of a, 

3. a -^A T for each f3 G Conf a and T G Conf such that P h /?'. 
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Let arej C Confrej be some rejecting configuration. The states arej and ao 
are the two distinguished states with the property, that if A accepts wg, then 
ctrej CKg, and a^ej ~ ctQ Otherwise. 

An RLBA B = {Qb,Bb,Sb,Ab,Ib, — >b) that in some sense ‘models’ Ta 
will be constructed. The RLBA B will be described only informally, but it should 
be clear from this description how to construct it. In fact B models an LTS that 
we obtain from Ta by a transformation illustrated in Fig. 1. 

Figure 1 shows only transitions going from one state, but the same transfor- 
mation is performed for all states and transitions. In this simplified example is 
Aa = {a, 6, c, d}. At first, the non-deterministic choice is postponed. Notice that 
that a new state is added for each action in Aa- Next, each action from A a is 
replaced by sequence of actions from some ‘small’ alphabet As. In our example 
is Ab = {0, 1} and a, b, c, d are replaced with 00, 01, 10 and 11. Invisible actions 
representing non-deterministic choice are replaced with sequences of r actions 
of some fixed length m (in our example m = 3). This kind of transformation is 
described more formally in the next subsection. 

Configurations of A can be written as words in an alphabet A = (Q x 
r) U T, where occurrence of the symbol from Q x B denotes the position of 
the head (there must be exactly one such symbol in the word). A word from 
A* corresponding to a configuration a is denoted by desc{a). Actions from 
Act{a) are replaced with sequences of actions corresponding to desc{a) in B. In 
particular, Ab = A a U {1, 2} where A a = A — {{qrej,a) \ a £ B}. Actions from 
{1, 2} are used to identify a successor of a disjunctive configuration. 

B has a tape with two tracks, denoted track 1 and 2, respectively. A current 
state a of 7a is is stored as a word desc{a) on track 1. B also needs to store 
information about the label of a transition that Ta performs. The configuration 
from the label of the transition is stored on track 2. Formally this means that 
Bb = {A X A)U {F,H}. See Fig. 2 for an example: 

As mentioned above, a transition of Ta labelled with an action from Act{(3) is 
represented in R as a sequence of transitions. Each such sequence start and ends 
in a configuration where track 1 contains the current state a of 7a and where 
the head of B points to the first symbol of desc{a), i.e., it is on position 2. The 
contents of track 2 is not important, since it will be overwritten. The sequence of 
transitions of B corresponding to one transition of 7a has two phases (denoted 
as phase 1 and phase 2): 
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Fig. 2. An example of a configuration of the RLBA B 



1. An actions representing symbols of desc{(3) are performed one by one and 
the corresponding symbols are stored on track 2. The head of B goes from 
left to right. 

2. One of the possibilities is chosen non-deterministically (possibilities depend 
on some properties of a and [3 that are described below, information about 
these properties can be kept in the control unit oi B): 

(a) The head of B moves back to the left endmarker without changing any- 
thing. 

(b) A chosen successor of (3 is stored on track 1 while the head returns back 
to the left endmarker. This involves copying of track 2 to track 1 with 
the necessary modifications on positions where (3 and its successor differ. 

The three following steps are performed for each symbol a of desc{(3) during 
phase 1: 

~ the symbol from track 1 is read into the control unit, 

— an action a is performed, and remembered in the control unit, 

— a is written on track 2 and the head moves to the next cell. 

This means that actions rar are performed for each symbol a. Phase 1 ends 
when the right endmarker H is reached. If /? G Conf\/, then phase 1 includes also 
an action a € {1,2} identifying a successor of /3. This number is stored in the 
control unit of B. 

The possible choices at the start of phase 2 depend only on whether a = 
j3, and on the type of (3 (if it is accepting, conjunctive or disjunctive). This 
information can be stored in the control unit oi B. To find out ii a = (3, notice 
that we can compare symbols on tracks 1 and 2 during phase 1. The possible 
non-deterministic choices are the following: if [3 is disjunctive, the successor of 
(3 that was chosen at the end of phase 1 can be stored on track 1, and if (3 is 
conjunctive, the non-deterministically chosen successor of (3 can be stored on 
track 1. The choice (a), i.e., to keep track 1 intact, is possible only when a ^ (3. 
Notice that if (3 is accepting, there are no successors of (3 and so there are no 
transitions possible when a = (3. 

B can be constructed in such a way that only valid configurations can be 
written on track 2 during phase 1, and some fixed number m of steps is always 
performed during phase 2, where m G 0(n). In particular, we can put m = 2n-|-4, 
because two steps are needed to copy one symbol from track 2 to track 1, and 
we need two additional steps to modify track 1 to reflect one step of A. We also 
need additional steps at the beginning and at the end of phase 2. 
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6.1 Decomposition of Transitions 

In this subsection we describe the transformation performed on 7 a more formally 
and we show that it preserves some important properties of the original LTS. 

Let us have an LTS T = {S, A, — >), a set of actions A', some positive integer 
m and a mapping h : A ^ A'* such that h(a) is not prefix of h(a') if a yf a'. Let 
R = (h(a) \ a € A} and let Pref{H) be the set of all prefixes of words from H. 

We can construct a new LTS T' = {S', A ', — >■') where S' = {{s,w) \ s G 
S,w £ Pref{H)} U {{s,i) | s G S', 0 < f < m}, where we identify the the states 
(s, 0) and (s, e) (i.e., (s, 0) and (s, e) are the same state), and where — >' contains 
transitions: 

— (s, w) — ^ (s, wa) for each s £ S, w £ A'* and a £ A' such that wa £ 
Pref{H\ 

— (s,w) — > {s' ,m — 1) for each s,s' £ S and a £ A such that s — > s' and 
h{a) = w, 

— (s, i) — ^ (s, * — 1) for each s £ S and 0 < i < m. 

For each state s G S in T there is a corresponding state (s,e) £ S' in T' ■ 

Lemma 6. For each s,s' G S: if s ^ s', then (s,e) ~ (s',e), and if s %tr s', 
then (s,e) %tr {s' ,£)■ 

Proof (sketch). To prove the first part of the lemma, it is sufficient to show that 
R = {((s, w), {t, w)) I s ^ t,w £ Pref{H)} U {((s, i),{t,i)) | s ~ f, 0 < i < m} is 
a bisimulation. 

To prove the second part, let us define a mapping h : A* ^ A'* such that 
h{s) = e, and h{aw) = h{a)r'"^ h{w) . By induction on |w| we can show that for 
every s £ S and w £ A* is w £ Tr{s) iff h{w) £ Tr{{s,e)). 

If s %tr s' then there is some w £ A* such that w G Tr{s) and w ^ Tr{s'). 
This implies that h{w) £ Tr{{s,e)) and h{w) ^ Tr{{s',e)). □ 

6.2 Correctness of the Construction of the RLBA 

Theorem 7. The problem RLBA-eQt^ is EXPTIME-hard for any TZ such that 
TZ C^tr. 

Proof. Let us return to the construction of B and consider the corresponding 7a . 
We define a mapping h : Aa — >■ Ag such that h{{a)) = Tairra 2 T • • • ra„r for 
a £ Conf/,., and h{{a,i)) = TaiTTQ 2 T . . .TOnTi for a £ Confy — Confrej, where 
desc(a) = aiU 2 ■ ■ ■ Un. We apply the transformation described in the previous 
subsection with h and m = 2n -I- 4 to 7a, and we obtain T\. It is straightforward 
to create a bisimulation that relates configurations of B and states of Ta. 

States arej and oq from 7 a correspond to a rejecting, resp. initial, configu- 
ration of A. If A accepts w, then arej %tr cxq in 7 a, and so {arej,s) %tr {cto,e) 
in Ta, and if A does not accept w, then arej ^ a^ in Ta and {arej,s) ~ {cto,s) 
in Ta by Lemma 6. The same holds for the corresponding configurations of B. 
This shows that the described construction is correct. 
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RLBA B with two configurations can be constructed from an instance of 
ALBA- ACCEPT in a logarithmic space, since it is obvious that some fixed number 
of pointers pointing to symbols in the instance would be sufficient for the con- 
struction. The problem ALBA-ACCEPT is EXPTIME-complete and EXPTIME 
is closed under complement. □ 

So from Theorem 7 and Lemmas 1 and 2 we obtain the main result of the 
paper: 

Theorem 8. The problems pch-eQt^ and pn-eQt^ are EXPTIME-hard for any 
TZ such that ~C TZ 
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Abstract. We consider the problem of checking whether a finite (or 
ultimately periodic) run satisfies a temporal logic formula. This problem 
is at the heart of “runtime verification” but it also appears in many other 
situations. By considering several extended temporal logics, we show that 
the problem of model checking a path can usually be solved efficiently, 
and profit from specialized algorithms. We further show it is possible to 
efficiently check paths given in compressed form. 



1 Introduction 

Model checking, introduced in the early 80’s, has now become a widely used ap- 
proach to the verification of all kinds of systems [CGP99,BBF+01]. The name 
“model checking” covers a variety of techniques dealing with various subprob- 
lems: how to model systems by some kind of Kripke structures?, how to express 
properties in temporal logics or some other formalisms?, how to use symbolic 
techniques for dealing with large state spaces?, and, most importantly, how to 
algorithmically check that a model satisfies a property? 

These techniques rest upon a solid body of foundational knowledge regarding 
the expressive power of temporal logics and the computational complexity of 
their model checking problems [Sch03]. 

In this paper, we consider the problem of model checking a single path. 
This problem appears in several situations, most notably in runtime verifica- 
tion [Dru00,Hav00,FS01]. There are situations where thousands of paths are 
checked one by one, e.g. the Monte-Carlo approach for assessing the probability 
that a random run satisfies some property [YS02,LP02]. Less standard situations 
exist: [RGOl] advocates using temporal logic for describing patterns of intrusive 
behaviors recorded in log files. Such a log file, where a series of system events are 
recorded, is just a long path on which the temporal formula will be evaluated. 

We do not restrict to finite paths and also consider checking ultimately peri- 
odic paths (given as finite “lasso-shaped” loop) . Checking a path is much simpler 
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than checking a Kripke structure, so much so that the problem may appear triv- 
ial: using standard dynamic programming methods “d la CTL model checking”, 
a path can obviously be checked in bilinear, i.e. 0(|model| x |formula|), time. 

This may explain why the problem, while ubiquitous, has not been isolated 
and studied from a theoretical viewpoint. For example, it is not known whether 
checking a simple temporal formula over a finite path can be done more efficiently 
than with the “bilinear time” method , e.g. with memory-efficient algorithms in 
SC, or with fast parallel algorithms in NC. Indeed this open problem was only 
identified recently [DS02]. 

With this paper, we aim to show that the problem is worthy of more fun- 
damental investigations. Of course, the problem is a generic one, with many 
variants (which temporal logic? what kind of paths?) and here we only start 
scratching its surface. 

More specifically, we present results (some of them folklore) showing that 

Checking a Path is Easier: As we show in this paper, model checking a path 
is often much easier than checking a Kripke structure. We exhibit examples 
of richly expressive temporal logics that allow polynomial-time algorithms 
for checking a single path, while checking all paths of a Kripke structure 
is highly untractable. It is even possible to achieve polynomial-time when 
checking compressed paths (i.e. exponentially long paths that are given and 
stored in compressed form). 

Checking a Path Relies on Specific Techniques: These efficient algo- 
rithms rely on specific aspects of the problem. Checking a path definitely 
comes with its own set of notions, technical tricks, and conceptual tools. 
For example, all our algorithms for checking ultimately periodic paths rely 
on a specific reduction technique to checking some kind of short finite prefix 
of the infinite path. 

Outline of the Paper. We define the basic problem of model checking LTL for- 
mulae over finite or ultimately periodic paths (Sect. 2). This problem is still not 
satisfactorily solved, but we argue that its intrinsic difficulty is already present 
in the case of finite paths (Sect. 3). We then show that model checking a path 
is much easier than model checking a Kripke structure by looking at various 
rich temporal logics: the monadic first-order logic of order, the extension of LTL 
with Chop, or the extension of LTL with forgettable past (Sect. 4). We provide 
polynomial-time algorithms for the last two instances. Finally we look at the 
problem of checking paths given in compressed form (Sect. 5). 

Related Works. Model checking a path is a central problem in runtime verifi- 
cation. In this area, the problem is seen through some specific practical appli- 
cations, sometimes with an emphasis on online algorithms, with the result that 
the fundamental complexity analysis has not received enough attention. 

Dynamic programming algorithms for checking finite and ultimately periodic 
paths are also used in hounded model checking [BCC+03]. In this area, the rel- 
evant measures for efficiency are not the classical notions of running time and 
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memory space, but have more to do with, say, the number of Boolean variables 
introduced by the algorithm, or the pattern of dependencies between them. 

Model checking a path has a lot in common with algorithmics on words 
(witness Section 5). However, our concern with temporal logics and ultimately 
periodic paths is not standard in that other area. 

2 Linear-Time Temporal Logic and Paths 

We assume familiarity with temporal logics (mainly LTL) and model checking: 
see [Eme90,CGP99,BBF+01]. 

Syntax of LTL + Past. Let AP = {po,Pi,P 2 , ■ • ■ } be a countably infinite set 
of atomic propositions. The formulae of LTL+ Past, are given by the following 
grammar: 



p,ip ::= -ip \ p Alp \ Xp \ X ^ p \ p U ip \ p S tp \ po \ pi \ p2 \ ■■■ 

S (Since) and (Previously) are the past-time mirrors of the well-known U 
(Until) and X (Next). We shall freely use the standard abbreviations T, p^ ip, 

p\/ip,fp(^TUp),Gp F-V (fe^TS:p) and G-^p (^ ^f-^^p). 

LTL, the well-known propositional linear-time temporal logic, is the frag- 
ment where S and X^"^ are not used, also called the pure-future fragment. While 
LTL-\- Past is not more expressive than LTL [GPSS80,Rab02], and not harder to 
verify [SG85], it can be (at least) exponentially more succinct than LTL [LMS02]. 



Semantics. Linear-time formulae are evaluated along paths. Formally, a path is 
a sequence tt = sq, si, . . . , finite or infinite, of states, where a state is a valuation 
s G 2^^ of the atomic propositions. |7 t| G NU{w} denotes the length of tt and, for 
a position I < |7t|, one defines when a formula holds at position i of tt = (s/)i<|,r| 
by induction on the structure of formulae: 



TT,i\=p 
Ti,i \=Xp 
7T, Z 1= X^^p 

'K,i\= p\} Ip 

TT,i\= pSip 



iff p € Si 
iff TT ,i -\- 1 \= p 

iff TT,i — 1 \= p 



iff > z : 
iff 3 j < z : 



^ Ip, and 

\yi < k < j : TT,k \= p 

\= V', and 

yyj <k<i:7T,k\=p 



for p G AP 
(hence z -F 1 < |7 t|) 
(hence z > 0) 

(hence j < |7t|) 
(hence j > 0) 



omitting the usual clauses for negation and conjunction. We say a non-empty 
path TT satisfies p, written tt \= p, when tt,Q \= p, i.e. when p holds at the 
beginning of tt. 

Since only propositions that appear in p are relevant for deciding whether 
TT \= p, 'we usually assume that paths only carry valuations for the finite number 
of propositions that will be used later on them. 
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Model Checking. We are interested in the computational problem of model check- 
ing a path against an LTL formula. This requires that the path argument be given 
in some finite way. In classical model checking, where we evaluate a temporal 
formula along all the paths of a finite Kripke structure (KS), the KS is the finite 
input that describe an infinite set of infinite paths. Here we assume that the 
given path is finite, or is ultimately periodic. 

Ultimately periodic, or u.p., paths, are given via a pair (u,v) of two finite 
paths, called a loop for short. A loop (u,v) denotes the infinite path tt = u.v^ , 
called its unfolding, where an initial u prefix is followed by repeated copies of v. 
For uniformity, we shall assume finite paths are given via loops too, only they 
have empty v. We say loop (u,v) has type {m,p) when m is the length |u| of u 
and p is the length of v. 

Model Checking a Path. The generic computational problem we are considering 
is: 

PMC(L) (Path Model Checking for L). 

Input: two finite paths u, v and a temporal formula ip of L. 

Output: yes iff \= ip, no otherwise. 

Here L can be any temporal logic (but it is not meaningful to consider branching- 
time logics). We shall consider several problems: PMC(LTL), PMC(LT'L -|- 
Past), etc. We denote by PMCf(L) the restricted problem when only finite 
paths are considered (z.e. when v = e). A recurring pattern in our results is that 
PMC(i) reduces to PMCf(L) (by default, we consider logspace reductions). 

3 How Efficient Can Path Model Checking Be? 

We mentioned in the introduction that the following holds: 

Theorem 3.1. PMC(LTL) can be solved in time 0{\uv\ x |i^|). 

Proof. Obvious since, over paths, CTL and LTL coincide. So that the well-known 
bilinear algorithm for CTL model checking can be used. □ 

That polynomial-time algorithms also exist for LTL + Past is less obvious: 

Theorem 3.2. ~PAl.C{LTL + Past) can he solved in time 0{\uv\ x \ip\^). 

This can be obtained as a corollary of Theorem 4.5 but it is instructive to look 
at a direct proof, since it illustrates a recurring pattern. 

We start with the simpler case where the path is finite: 

Proposition 3.3. PMCf (LTL -|- Past) can he solved in time 0(|m| x |(/?|). 

Proof (Sketch). The obvious dynamic programming algorithm works: starting 
from the innermost subformulae, we recursively fill a Boolean table T[i, ip], where 
f is a position in the finite path, and ^ is a subformula of ip, in such a way that 
T[i,ip] = T iS TT,i\='ip. □ 
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This algorithm is too naive for u.p. paths: one cannot label uniformly states 
inside the loop. A state in the loop corresponds to different positions in the 
unfolded path, and these positions have different pasts. 

However it is only necessary to unfold the loop a small number of times, 
something we present as a reduction from PMC(LT'L+ Past) to PMCf (LTL + 
Past). 

Let (/? be an LTL+ Past formula, and (u,v) a loop of type (m, p) . In the sequel, 
we write hpiff) for the future temporal height of p, i.e. its maximum number of 
nested future-time modalities. Similarly, hp{(p) denotes the past temporal height 
of if. We write H{‘p) for hpi^f) + hp{(p). E.g., for (p = FF^^XFpi V F“^G“^P 2 , we 
have hp{(p) = 3, hp{(p) = 2 and H{(p) = 5. 

Lemma 3.4 ([Mar02]). For all subformulas if of p, and k> m + hp{p)p 

u.v‘^,k\=ififfu.v^,k + p\=if. ( 1 ) 

This may be proved by structural induction on formula if. 

We now reduce model checking of p on the loop (u, v) to a finite path model 
checking problem. We assume that p yf 0 (otherwise the result is obvious), and 
build the finite path tt' = where v' is like v except that Vq carries a 

new proposition q ^ AP (and we replace AP by AP' = AP U {g}). Formally, v' 
is given by: 

I / 1 / dsf I 1 r 4 / d.6f p . ^ 

\v \ = P Uq = 'Co U {qf = Vi for z > 0. 

We also recursively build a set of formulae \k as follows: 

xo = T xk = Hq^^Xk-i). 

Obviously, n',i |= Xfc iff z < m -F {H{p) -F 1 — k)p. Now p is inductively given by: 

p = p 

-Itf = -.z/) z/)i V '02 = V'l V lf2 

X0 = X0 V'lUV'2 = '0lU(02 A X/jp(y,^uV'2)) 

X-10 = X^^0 lflSlf2 = lflSlf2 



Lemma 3.5. For all subformulae if of p, for all i < m + {H(p) — hp{if))p, we 
have: 

ZZ.w“,Z 1= 0 z/f 7 t',Z 1= if. 

A direct corollary is the reduction we announced: 

Theorem 3.6. For any LTL + Past formula p, and loop (u,v), one can build 
in logspaee a formula p and a finite path tt' s.t. 

■u.z;“ \=p iff tt' \=p. 

Since |7 t'| is in 0(|zzz;||ip|), we obtain Theorem 3.2 by combining with Proposi- 
tion 3.3. 
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An Open Question and a Conjecture. We do not know whether the upper bounds 
given in Theorems 3.1 and 3.2 are tight. There is an obvious NCi lower bound 
that has nothing to do with model checking: evaluating a Boolean expression is 
NCi-hard. But the gap between NCi and PTIME is (assumed to be) quite large. 

We have been unable to prove even LOGSPACE-hardness for PMC(LT'L + 
Past), or to find an algorithm for PMC(LTL) (even for PMCf (L(F)) that would 
be memory efficient (e.g. requiring only polylog-space) or that would be consid- 
ered as an efficient parallel algorithm (e.g. in NC). 

We consider that the open question of assessing the precise complexity of 
PMC(LTL) and PMC(LTL-|- Past) is one of the important open problems in 
model checking [DS02, Sect. 4]. In view of how Theorem 3.6 reduces PMC(. . . ) 
to PMCf (. . . ), one thing we can tell about the open problem is that the difficulty 
does not come from allowing u.p. paths. 

Our conjecture is that PMC(LTL) is not PTIME-hard. This conviction is 
grounded in our experience with all the PTIME-hardness proofs we can obtain 
for richer logics (see next sections) and the way they always exploit some powerful 
trick or other that LTL and LTL + Past do not allow. 

4 Richly Expressive Temporal Logics 

Many temporal logics are more expressive, or more succinctly expressive, than 
LTL [Eme90,Rab02]. However this increased expressivity usually comes with an 
increased cost for verification, which explains why they are not so popular in the 
model checking community. 

In this section we consider a few such temporal logics. Since we focus on 
logics with first-order definable modalities, the “rich expressiveness” should be 
understood as “succinct expressiveness”. 

Our first example is FOMLO, the first-order logic of order with monadic 
predicates. This formalism is not really a modal logic, like LTL is, but it is 
fundamental since it encompasses all natural temporal logics. We show that 
model checking FOMLO on paths is PSPACE-complete, hence is much easier 
on paths than on Kripke structures (where it is nonelementary [Sto74]). 

We then look at two more specific extensions of LTL. LTL+ Chop has a non- 
elementary model checking problem on Kripke structures [RP86], but we show 
it leads to a PTIME-complete path model checking problem. Another PTIME- 
complete problem on paths appears with LTL + Past + Now, an extension of 
LTL+Past that has an EXPSPACE-complete model checking problem on Kripke 
structures [LMS02]. 

Figure 1 summarizes our results. The obvious conclusion is that, when model 
checking paths, there is no reason to restrict oneself to LTL: much more expres- 
sive formalisms can be handled at (more or less) no additional price. 

4.1 FOMLO, the First-Order Monadic Logic of Order 

We will not recall here all the basic definitions and notations for FOMLO. Let us 
simply say that we use qh{ip) to denote the quantifier-height of (p, that we write 
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logic 


checking Kripke structures 


checking paths 


FOMLO 


nonelementary 


PSPACE-complete 


LTL 


PSPACE-complete 


PTIME-easy 


LTL + Past 


PSPACE-complete 


PTIME-easy 


LTL + Past + Now 


EXPSPACE-complete 


PTIME-complete 


LTL + Chop 


nonelementary 


PTIME-complete 



Fig. 1. Checking richly expressive logics on paths 



, Xn) to stress that the free variables in Lp are among {x \, . . . , x„}, and 
that 7T, oi, . . . , o„ ^ ‘•pixi , . . . , Xn) denotes that path tt with selected positions 
oi, . . . , o„ G N is a model of (p{x \, . . . , Xn) when the XiS are interpreted by the 

Oi’s. 

Theorem 4.1. PMC(FOMLO) is PSPACE-compZete. 

PSPACE-hardness already occurs with finite paths of length two where there is 
an obvious reduction from Quantified Boolean Formula (QBE). 

Proving membership in PSPACE is more involved. But if we restrict to finite 
paths, there is no difficulty since the naive evaluation of first-order formulae over 
finite first-order structures only needs polynomial-space [CM77]. Therefore, the 
difficult part in Theorem 4.1 is the proof that model checking FOMLO formulae 
over ultimately periodic paths u.v^ can be done in polynomial-space. 

We now prove 

Proposition 4.2. Telling whether u.v'^ ^ tp for p> a closed FOMLO formula 
can be done in space 0{\uv\ x 

Assume u.v^ is an u.p. path of type {m,p) with p > 0. We say two positions 
a, & G N are congruent, written a = b, if a = h, or a > m < h and a mod p = b 
mod p (i.e. they point to equal valuations on u.v'^). Two tuples (oi,... ,a„) 
and {bi,... ,bn) of natural numbers are k-equivalent, written (oi,... ,a„) 

{bi , . . . , bn), when = bi for all 1 < z < n and {ai—aj yf bi~bj) joj— | > 2^p 
for all 1 < z < j, < n. 

Lemma 4.3. If {m, a\, . . . , a„) {m, bi, . . . , bn) and qh{ip) < k, then 

■u.z;“,ai, . . . ,a„ ^ (p{xi,... ,Xn) iff u-v"^ ,bi, . . . , |= p(xi,... ,x„). 

Proof (Idea). A standard use of Ehrenfeucht-Frai'sse games on linear order- 
ings [Ros82] . □ 

For a closed FOMLO formula ip we let tp be the relativized variant obtained 
from p by replacing every quantification “3x” in p by “3x < m + p{2^ — 2^~^) 
where k is qh{p) and h is the height of the “3x” occurrence we replace. 
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For example, assuming m = 10 and p = 3, the formula 

3a; Vy (a; > y Apo{y) ^ 3z {y < z < x A Pi{z))) (p) 

is relativized as 

3a; < 22 Vy < 28 (a; > y A Po{y) 3z < 31 {y < z < x A pi{z))). (p) 

A corollary of Lemma 4.3 is the following 
Lemma 4.4. u.v‘^ |= p iff u.v'^ |= p. 

We can now evaluate whether u.v^ \= p in polynomial-space, proving Propo- 
sition 4.2. Lemma 4.4 reduces this question to a bounded problem, where only 
a finite prefix of u.v^ has to be examined. That prefix still has exponential size 
0{m+p2'^^^‘^'i) but we do not have to build it. Rather, we only go over all values 
for the position variables in p, storing them in binary notation (say) to ensure 
polynomial-space. Then it is easy to evaluate the predicates on these binary no- 
tations: the only dyadic predicate is <, and the monadic predicates reduces to 
simple arithmetical computations to find a congruent position in u.v. 

4.2 LTL with Forgettable Past 

“LTL with forgettable past” is LTL+ Past + Now, i.e. LTL+ Past where we add 
a new unary modality N (for “from Now ori " ) . The semantics of N is given by 

7T, i 1= N iff 7T>i, 0 1= V?- 

We refer to [LMS02] for motivations on LTL + Past + Now: that logic can 
be exponentially more succinct than LTL+ Past, and its model checking prob- 
lem is EXPSPACE-complete. LTL + Past + Now is included in Fig. 1 because 
Theorem 4.5 was the first hint that PMC allows dealing efficiently with rich 
logics. 

Theorem 4.5 ([LMS02]). ’PNl.C{LTL + Past + Now) is PTlME-complete. 

4.3 The Chop Modality 

“Chop'" , introduced in [HKP80] and studied in [RP86], is a two-place modality 
whose semantics is defined as follows: 

tt,Q \= pQif iff 3fc > 0 s.t. 7T>fc+i 1= if and \= p 

where 7r>fc+i is the suffix of tt starting at (and including) position fc -I- 1, and 
7T-* is the prefix of tt up to (and including) position k. It is useful in cases we 
want to see subruns inside a run (e.g. sessions, or specific segments) and state 
their temporal specifications [RP86]. 

Satisfiability for LTL+ Chop is non elementary [RP86]. Hence model checking 
LTL + Chop properties on Kripke structures is non elementary too (there exists 
a polynomial-space reduction from satisfiability to model checking, see [DS02, 
Prop. 3.1]). 

However, model checking a path is easier: 
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Proposition 4.6. PMC(LTL+ Chop) can he solved in time 0{\uv\“^ x |(/?|^). 

The outline of the proof is similar to the case of LTL+ Past. First, we observe 
that, for a finite path tt, the following holds: 

Proposition 4.7. PMCf (LTL+ Chop) can he solved in time 0(|7r|^|(/?|). 

Proof (Sketch). Again dynamic programming techniques suffice. We fill a 
Boolean table T[i,j,if], for each positions t < j in tt, and subformula ip of 
ip, in such a way that 



T[i,j,tp] = T iff 7T[ij] 1= Tp 

where TT[i^j] = (7r<j)>j. This can be done in quadratic time in the size of the 
path, and linear time in the size of the formula. □ 

We now consider u.p. paths. The next lemma states that some transforma- 
tions on paths do not affect the truth value of LTL + Chop formulae: 

Lemma 4.8. Let ip G LTL+ Chop, and m,n> \ip\. Let u, v he two finite paths, 
and w he a (finite or infinite) path. Then 

u.v™.w ^ (p iff u.v^.w ^ ip. 

We now perform the reduction from PMC(LTL-|- Chop) to PMCf (LTL -|- 
Chop). We first exclude the trivial case when v is empty. We keep the notations 
of the proof of Theorem 3.6, and define new path and formulae: tt' = and 

Tpl(J'tp2= -tpl ^{lp2 A X|V.iUV>2|) TplCTp2 = C{lp2 A X\-i!>-,\) 

For this path tt' , we now have tt', i |= Xfc iff i < m -I- (|(/?| — k)p. 

With Lemma 4.8 we can prove the following by induction on the structure 
of tp: 

Lemma 4.9. For all suhformula ip of ip, for alii < m + (|if3| — IV'DP; 'we have: 

u.v‘^,i \=TpiffTr',i\= Tp. 

It now suffices to observe that |7 t'| is in 0{\uv\ x |(/?|), and we obtain Proposi- 
tion 4.6 from Proposition 4.7. 

It turns out that, as with LTL -|- Past + Now, we have a case where model 
checking a path is PTIME-complete: 

Theorem 4.10. PMC(LTL-|- Chop) is PTIME-complete. 

In fact, PTIME-hardness already occurs with finite paths, i.e. for PMCf(LTL-|- 
Chop). We prove this by a reduction from the (Synchronous Alternating Mono- 
tone) Circuit- Value Problem [GHR95, problem A. 1.6]. We illustrate the re- 
duction on a example and consider the circuit C of figure 2. 

Let Ec denote the set of links (pairs of gates) in C. With C we associate the 
finite path ttc given in figure 3. 
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level 4: 
level 3: 
level 2: 
level 1: 
level 0: 

Fig. 2. An instance of Circuit- Value 
(r^ — — ' ' ' ^ ^ 

Fig. 3. The path ttc associated to our instance of Circuit- Value 




Finally, we define the following sequence of formulae: 



def 

ipo = ni4 



‘^2k+l 

<f2k+2 




i at level 2k+l ^ ^ FGj 



C (X0 A if2k) 



def 



f V f at level 2fc+2 ^ ^ 



C (X0 A -i(^2fc+i)) 



Lemma 4.11. For any gate Ui at level p in C, Ui evaluates to true in C iff 
T^Ci ( 3 * 2 ) 1 = ipp. 

Proof (Idea). By induction on p. The base case where p = 0 is obvious. For the 
induction step we first consider the case where p = 2fc -|- 1 is odd. Hence Uj is a 
disjunctive gate. The right-hand side of p 2 k+i requires that we “chop” the path 
between two nodes labeled by a same Uj, and that this node satisfies the formula 
corresponding to the level below (hence gate Uj evaluates to true by ind. hyp.). 
The left-hand side of p 2 k+i ensures that gate Uj is a child of the current ni (a 
finite path satisfies some FGi/i iff its last state satisfies i/')- Thus ttc, 3t — 2 \= <Pp 
iff a child of Ui evaluates to true iff rij evaluates to true. 

When p is even, a dual reasoning applies. □ 

Thus C evaluates to true iff ttc, 1 \= pi, where I is the height of C. Hence 
PTIME-hardness . 
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5 Model Checking Compressed Paths 

In this section we show that it is possible to efficiently model check paths that 
are given in compressed form, i.e. via some succinct encoding. One such encoding 
is the exponent notation, e.g. writing paths as 

U = ([(S1.S2.S3)'(S4)'°]'"(S5.S6)")'™°. 



5.1 Compressed Words 

Working directly on compressed words is a standard technique in some fields, e.g. 
when handling long DNA strings in gene-mapping applications. Several encoding 
schemes are possible, and the more interesting ones are those where a compressed 
word can be exponentially more succinct than the described word. 

Here we follow [PR99] and adopt the standard framework of straight-line 
programs, or SLP’s: these are context-free grammars where the non-terminals 
Ni,... ,Nk are ordered being the axiom), and where every non-terminal 
has a single production of the form Ni — > a for a terminal a, or Ni — > NjN/- 
for some j,k > i [PR99]. For an SLP P, we write w{P) for the unique word 
described by P. 

SLP’s are equivalent (polynomial-time inter-reducible) to Lempel-Ziv com- 
pression schemes but are mathematically nicer. They are more general than the 
exponent notation. The algorithms we give for SLP’s easily adapt to these other 
compression schemes. 



5.2 Model Checking Compressed Paths 

A compressed path is a pair {Pi,P 2 ) of two SLP’s, encoding the u.p. path 
w{P\).w{P 2 Y ■ Since compressed paths are succinct descriptions, we should ex- 
pect that model-checking paths given in compressed form is hard. This is indeed 
the case with LTL model checking: 

Theorem 5.1. Model checking LTL formulae on compressed paths is PSPACE- 
complete. 

However, the difficulty has more to do with the LTL formulae than with the 
compressed paths, as our next result shows: 

Theorem 5.2. Checking whether a compressed path is recognized by a Biichi 
automaton is PTIME-complete. 

Checking whether a compressed path (Pi, P 2 ) satisfies an LTL formula (f can be 
done in time (|Pi| -I- |P2|)2'^*^I‘^I\ hence for long paths and simple fixed formulae, 
model-checking compressed paths is essentially “linear-time” . 

The rest of the section proves the above two theorems. We observe the usual 
pattern: u.p. paths are not harder than finite paths. 
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Fig. 4. Checking compressed paths 



5.3 Compressed Paths Accepted by Biichi Automata 

Proposition 5.3. [PR99] Saying whether w{P) is recognized by A (for P an 
SLP, and A a finite- state automaton) can be done in time 0(|P| x |A|^). 

Proof. [PR99] describes a simple dynamical programming solution. For two 
states r,s of A and non-terminal Xi of P, set T[r,s,i] = true iff w{Xi) la- 
bels a path going from r to s in A. Obviously, if Xi — Xj X}- is a rule in P, 
then T[r,s,i] = \/ ^T[r,u,j] A T[u,s,k\- Hence the table T[. . .] is easy to fill. 
Then we can use T[. ..] to see whether w{P), i.e. w{Xi), labels an accepting 
path. □ 



Corollary 5.4. Saying whether a compressed path (Pi,P 2 ) is recognized by A 
(a Biichi automaton) can be done in time 0((|Pi| -I- IP 2 I) x |A|^). 

Proof (Idea). This is a simple extension of the previous algorithm. For example, 
one can build a second table T'[. . .] s.t. P[r, s,t] = true iff a power of w{Xi) 
labels a path going from r to s and visiting an accepting state of A. □ 



Proposition 5.5 ([MS03]). Saying whether w{P) is recognized by a determin- 
istic finite- state automaton A, is PTIME-Ziard (hence PTIME- complete). 

This shows a situation where compressed words are harder than uncompressed 
words since recognizability by a FSA is NL-complete for uncompressed words. 

5.4 Compressed Paths Satisfying LTL Formulae 

The easy part of Theorem 5.1 is the upper bound: 

Proposition 5.6. Deciding whether a compressed path satisfies an LTL formula 
can be done in polynomial- space. 

Proof (Idea). Model checking LTL formulae on products of concurrent Kripke 
structures is PSPACE-complete [HKV02], and compressed paths can easily be 
encoded in such products. □ 

PSPACE-hardness is more involved. Note it already occurs with finite paths: 
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Proposition 5.7. Deciding whether a finite compressed path satisfies an LTL 
formula is PSPACE-Ziarrf. 

We now sketch the proof. It is by reduction from Quantified Boolean Formula 
(QBF). Assume I is a QBF instance of the form 3uiVu23?;3 . . . Vx„(/\j Vj h,j) 
where every h j is 3ii jV„. ^ , i.e. a Boolean variable from V = {ui, . . . , u„} or its 
negation. 

With I we associate a compressed word that lists all valuations for the V- 
variables in lexicographical order. This is given by the following SLP: 

bi.A^2-ti.ei.bi.A^2-fi.ei 
b2.A^3.t2.e2.b2.A^3.f2.62 

bn-tn-®n-bnf n-®n 

Here letters and fi state that we Vi is true and, resp., false. Letters b^ and 
are begin and end markers. 

We now encode I via (pi, the following LTL formula: 

[bi A ([b 2 ^ ([b 3 A . . . [b„ ^ /y Y 3iij(t„,^ B e„)]U e„_i . . .]Be 2 )]U ei)]B_L 

i 3 

where defined as is short for “(/? at least once before a -f” . In 

the above formula, bi B _L encodes “there is a position where a value for v\ is 
picked”, b 2 U ei encodes “for all positions where a value for V 2 is picked before 
we change the value for vf’ , etc. When we look at a position where receives 
a value, the current valuation for all of V can be recovered by writing “t^B e„” 
for of Vk- 

Finally, the QBF instance I is true iff w{Pi) ^ tpi. Hence we have pro- 
vided a logspace reduction from QBF to model-checking LTL formulae on finite 
compressed paths. 

6 Conclusions 

We considered the problem of model checking a finite (or ultimately periodic) 
path. This is a fundamental problem in runtime verification, and it occurs in 
many other verification situations. This problem has not yet been the subject of 
serious fundamental investigation, probably because it looks like it is trivial. 

We argue that “model checking a path” should be recognized as an interesting 
problem, and identified as such whenever it occurs. The main benefits one can ex- 
pect are specialized algorithms that are more efficient than the usual algorithms 
we use (algorithms that were designed for the general case of model checking 
Kripke structures). We illustrate this with two kinds of specialized algorithms: 
model checking a path can be done efficiently (sometimes in polynomial-time) 
even when using richly expressive temporal logics that would usually be con- 
sidered as highly intractable, and model checking a path can be done efficiently 
(sometimes in polynomial-time) even when the path is given in compressed form. 





264 N. Markey and P. Schnoebelen 



We feel this opens the door to a whole line of investigations, aiming at finding 
efficient algorithms for the whole variety of path model checking problems that 
naturally occur in practice. 

From a more theoretical viewpoint, the basic problem of model checking 
LTL formulae over finite or ultimately periodic paths should be considered as an 
important open problem. It is not known whether the problem is PTIME-hard, 
or whether it admits efficient parallel algorithms (e.g. in NC), or memory-efficient 
algorithms (e.g. in SC). The gap between the known upper and lower bounds is 
quite large, but we have been unable to narrow it. 

Acknowledgement. The anonymous referees made several suggestions that 
greatly helped improve this paper. 
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Abstract. Multi-valued model-checking is an extension of classical model-check- 
ing to reasoning about systems with uncertain information, which are common 
during early design stages. The additional values of the logic are used to capture 
the degree of uncertainty. In this paper, we show that the multi-valued /r-calculus 
model-checking problem is reducible to several classical model-checking prob- 
lems. The reduction allows one to reuse existing model-checking tools and algo- 
rithms to solve multi-valued model-checking problems. This paper generalizes, 
extends and corrects previous work in this area, done in the context of 3-valued 
models, symbolic model-checking, and De Morgan algebras. 



1 Introduction 

Temporal logic model-checking [9] is one of the most widely used automated verification 
techniques. Its strength lies in its “push-button” approach to reasoning. Once a user has 
specified a model K, usually as a hnite-state transition system, and a property in some 
temporal logic L, a model-checker returns true if the model satisfies the property and 
false otherwise. 

In this paper, we assume that the temporal logic used to specify properties is the 
temporal /r-calculus [25]. Classical model-checking is defined over concrete models 
that explicitly allow some behaviors and prohibit others. This makes it well suited for 
analyzing systems at the end of the design cycle when all of the information is known. 
However, it is inconvenient for models that contain uncertain information, which is 
common during early design stages. 

Sources of uncertainty come from partial information about the system, or internal 
inconsistencies. The former include partial systems where some behaviors are neither 
explicitly allowed nor prohibited, and abstracted systems where an abstraction results 
in the loss of information. Another source of uncertain information can be the property 
itself. For example, in temporal logic query-checking [4], temporal logic is extended 
with unknowns (called placeholders) that indicate a user’s uncertainty about the correct 
formulation of the property. Inconsistent models come from representing a system as 
a composition of several (usually consistent) modules. Such modules can be features, 
with the goal of discovering feature interaction, or partial descriptions of the system, 
contributed by different stakeholders. In both cases, inconsistencies are inevitable. 

Multi-valued logics provide a unifying framework for reasoning about systems with 
uncertain information [14,13,5]. Additional logic values are used to capture the degree 
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of uncertainty, and are used to construct the model of the system. For example, partial in- 
formation can be represented using a 3-valued logic [22] with values T, M and F, where T 
and F represent definite information, and M (“maybe”) represents partial knowledge [1]. 

Multi-valued logics are typically defined using finite De Morgan algebras [29], 
also known as quasi-boolean algebras. This ensures that many laws of classical logic, 
such as idempotance, associativity, distributivity, De Morgan laws, involution of nega- 
tion (- 1-10 = a), are preserved. Laws that are not necessarily preserved include non- 
contradiction (a A -la = _L) and excluded middle (a V -■a = T). Multi-valued model- 
checking [5] is defined as a procedure that receives a multi-valued transition system K 
(where either propositions are multi-valued, the transition relation is multi-valued, or 
both) and a formula (f from a temporal logic defined over some De Morgan algebra C, 
and returns the degree to which Lp holds on K. 

The multi-valued model-checking problem can be decided directly, using a spe- 
cialized tool [7]. Yet, it is appealing to reduce it to several classical model-checking 
problems. Such a reduction allows one to check correctness of the direct approach and 
opens venues to use the mature classical model-checking technology. It also provides a 
connection between multi-valued and classical model-checking and allows to lift the- 
oretical results from classical model-checking to multi-valued. For example, it is used 
in [20,19] to show that the refinement relation over 3-valued models is an extended 
version of the bisimulation relation [27], and in [18] to show that query-checking is an 
instance of multi-valued model-checking. 

Reduction algorithms for 3-valued logic [2,1,16,20,21] have been well understood. 
Such reductions typically involve two independent checks to classical models, and the 
negation is handled on the level of atomic propositions. Konikowska and Penczek [23, 
24] provided reductions for several other logics for the negation-free fragment of 
mv-CTL* (£) . The contribution of this paper is in generalizing these reductions to /x- 
calculus over arbitrary finite De Morgan algebras. The solution is effectively to reduce 
multi-valued model-checking to \J (£) | 2-valued models, where JT (jC) is the set of join- 
irreducible elements of a given De Morgan algebra £. Each 2-valued model is encoded 
to be able to decide both universal and existential temporal logic properties. A similar 
approach, although in the context of classical temporal logic questions, was proposed 
by Huth and Pradhan [21]. 

The rest of the paper is organized as follows. After giving the necessary background 
in Sect. 2, we systematically develop and analyze the reduction algorithm in Sect. 3 and 
compare it with related work in Sect. 4. Section 5 concludes the paper. 



2 Background 

In this section, we give a brief introduction to lattice theory, De Morgan algebras, and 
multi-valued model-checking. 

2.1 Lattices and De Morgan Algebras 

A lattice is a partial order (£, C), where every finite subset B C £ has a least upper bound 
(called “join” and written LiB) and a greatest lower bound (called “meet” and written 
\1B). T and _L are the maximal and the minimal elements of a lattice, respectively. For 
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T(^±) 



T(^±) 



M 

(-M) 



-L(-T) 

(a) (b) 



-L(-T) 



TF 

(-.FT) 



XT (-.FF) 




FF (-.TT) 



(c) 



T(^±) 



DK 

(-DC) 



(d) 




DC 

(-.DK) 



Fig. 1. Examples of a few distributed lattices and the corresponding De Morgan algebras (bracketed 
values describe the negation): (a) lattice 2; (h) lattice 3; (c) cross-product lattice 2x2; and (d) 
lattice 2x2 + 2 



notational convenience, we often refer to a lattice (£, C) by its carrier set £. A lattice 
is called distributive if meet and join distribute over each other, i.e., a □ (6 U c) = 
(a n 6) U (a n c). A few examples of distributive lattices are given in Fig. 1. 

Definition!. [11] An element j in a lattice C is join-irreducible ijf j ^ _L and for any 
X and y in C, j = xUy implies j = x or j = y. 

In other words, j is a join-irreducible if it cannot be further decomposed into a join 
of other elements in the lattice. For example, the join-irreducihles of the lattices in 
Fig. la,b,c,d are {T}, {T, M}, {TF,FT}, {T, DK, DC, N}, respectively. The set of all 
join-irreducibles of C is denoted by fF (£). 

Every element of a finite lattice can be uniquely decomposed as a join of all join- 
irreducible elements below it: 

Theorem 1. [11] For any [ € C, 1 = U{i G J{C, E) | j E ^}- 

For any join-irreducible element j G fF(£), the function - □ j distributes over meets 
and joins: 

(a n 6) □ j = (a □ j) n (6 □ j) (a U 6) □ j = (a □ j) U (6 □ j) 

For any lattice C and a collection of C elements B, the downward closure of B, 
written j, B, is the set of all elements of C that are below some elements of B: 

iB^{eGC\3bGB-eQb} 



Definition 2. A De Morgan algebra is a tuple (C, E> where (£, E) A a finite dis- 
tributive lattice and -• is any operation that preserves involution (-<-<[ = £) and De 
Morgan laws. 

De Morgan algebras provide a natural model for De Morgan logics where the logical 
conjunction (A) and disjunction (V) are interpreted as meet and join of the algebra, 
respectively. In De Morgan algebras, we get -.T = E and = T, but not necessarily 
the law of non-contradiction (i n = E) or excluded middle (f U -.f = T). For 
notational convenience, we write =)> for material implication: a ^ b = -•aU b. 
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We can define several De Morgan algebras using the lattices given in Fig. 1. The 
domain of logical values of the classical logic, referred to as 2, is the lattice in Fig. 1(a). 
The three-valued algebra 3 (Kleene logic [22]) is defined on the lattice in Fig. 1 (b), where 
-■T = _L, -i_L = T, -iM = M. The four-valued algebra 2x2 is defined on the lattice in 
Fig. 1(c). A logic based on this algebra can be used for reasoning about inconsistency. 
Note that T and _L elements of an algebra are interpreted as values true and false of the 
logic, respectively. When the negation and the ordering operators of an algebra (£, C, -•) 
are clear from the context, we refer to it by its carrier set £. 

Given a set S, and a De Morgan algebra £, we denote the set of functions from S 
to C by £‘®. If £ is a De Morgan algebra, then so is {C^ , C, -•), where C and -■ are 
pointwise extensions of the corresponding operators of £. That is, for F, G C , 

F C G = Vs G S' • F(s) C G(s) G = -F iff Vs G S • G(s) = -F(s) 

Theorem 2. [6] For any De Morgan algebra (£, C, ->) there exists a function neg : 
J (£) — )■ J (£) defined as neg(j) = n(£\ I -•j), such that 

V£ G £ • Vj G J{£) • □ J = -(£ □ neg(j)) 

Note that neg maps join-irreducible elements to join-irreducible elements and can be 
easily [6]. For example, for the algebra 3, neg(T) = M and neg(M) = T. For the 
algebras 2 and 2x2, neg is the identity function. 

2.2 Multi-valued Model-Checking 

Multi-valued model-checking [8] is a generalization of the temporal logic model- 
checking problem to arbitrary De Morgan logics. A multi-valued model-checker receives 
a De Morgan algebra, a multi-valued model, and a temporal property, and determines the 
value with which this property holds in the model. Multi-valued models are defined over 
XKripke structures - generalizations of Kripke structures, where each atomic proposi- 
tion and each transition between a pair of states are labeled with values from the algebra. 
Formally, a XKripke structure is a tuple K = {S, Sq, R, I, A, £), where S' is a finite set 
of states; £ is a De Morgan algebra; A is a set of atomic propositions; sq G S is the 
initial state; R:SxS— >^£isa multi-valued transition relation; / : S x A — >^ £ is 
a (total) labeling function, such that for each atomic proposition a G A, I{s, a) = £ 
means that variable a has value £ in state s. Thus, any Kripke structure is also a XKripke 
structure over the algebra 2. An example XKripke structure for the algebra 3 is given in 
Fig. 2(a). To avoid clutter when presenting finite-state machines graphically, we follow 
the convention of not showing _L transitions and not labeling T transitions. 

Temporal logic properties are specified in £+(A, £) - a generalization of /i- 
calculus [25] to arbitrary De Morgan algebras. 

Definition 3. Let Var be a set offixpoint variable names, Abe a set of propositions, and 
£ be a De Morgan algebra. The logic (A, £) is the set of formulas defined as: 

ip = Z \ £ \ \ p \ \ if /\ ip \ pM ip \ Up I <>p I vZ ■ p I pZ ■ p 



where £ G £, p G A, and Z G Var. 
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Fig. 2. (a) A XKripke structure K over the algebra 3; (b) a Kripke structure Kt used to check 
truth of existential properties over K; (c) a Kripke structure for universal properties 



O and □ are the next-state operators, with the intuitive meaning “there exists a next 
state” and “for all next states”, respectively. This gives rise to OT+ (A, C) {existential) 
and {A, C) (universal) fragments in which the only allowed next-state operators 
are O and □, respectively. 

We write tp{Z) for a T+ {A, C) formula Lp that may contain a free occurrence of Z, 
and ipiyp) for a formula obtained from hy replacing all free occurrences of Zhy ip. p, 
and u denote the least and the greatest fixpoint operators, respectively. 

Note that in L'^{A,C), the negation operator -■ is restricted to elements of C and 
propositions. Alternatively, we can define a logic Lf^{A, C) by relaxing this restriction. 
In this case, for a formula ip G L^{A, C), vZ ■ p{Z) and pZ ■ p{Z) are in L^{A, C) if 
and only if Z occurs under an even scope of negations in p. For example, pZ ■ ^O^Z is 
in L^{A, C), but pZ ■ -lOZ is not. The traditional definition of /x-calculus is equivalent 
to Lfi{A, 2). To simplify the notation, we often write when parameters A and C are 
clear from the context, or L^{A) and Lf^{C) when we want to emphasize only one of 
the parameters. 

The semantics of is given by the function 1 1 • 1 1 that, for each formula p and a state 
s of a XKripke structure, returns the value of (/? in s. Note that 1 1 • 1 1 takes an additional 
parameter called an environment that is used to interpret the fixpoint variables. 

Definition 4. Let £ be an element of C, p G A, s G S, p,ip G L^, and p : Var 
Then the function || • || : x (Var — >■ £^) — >■ £^ is defined as follows: 

\\z\us) ^ p{z){s) mus)^i 

iipiip(s)^/(.,p) ih‘Piip(s)^-ii^iip(s) 

||^AV>||,(s)^ll¥^||,(s)n||V>||p(s) ||^v^||,(s)^l|^IU(5)u||^||,(s) 

||Ov9||p(s) = Ut6s(®(s,t) n \\p\\p{t)) l|l=l‘p||p(s) = ntes(ffi(s,t) => 

\\pZ ■ p{Z)\\p{s) ^ n{c € I MUz^c] Q C} 

\\uZ ■ p{Z)\\p{s) ^ U{C € I C c WpWpyz^c]} 

where p[Z — >■ C] is an environment like p except that it maps Z to C. 

An environment that maps every Z G Var to _L is denoted by _L. For a closed 
formula p, we write | |i^| | to stand for | |v?| |_l- The value of a closed Lp^ formula on a 
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XKripke structure K is given by the value of Lp in the initial state of K, i.e., ||i^||(so), 
and is often written as | |v?| |^- 

Note that under our definition, the next- time operators O and □ are duals of each 
other, i.e., -lO-Kp = Uip. This also ensures the duality of the least and the greatest 
hxpoint operators, i.e. -i/iZ • = vZ ■ if{Z). Combining the above results with 

the involution property of the negation operator, we obtain the following theorem. 

Theorem 3. The negation-free fragment of is as expressive as 

Both CTL [10] and its multi-valued extension XCTL(£) [5] can he expressed in 
L^(A,C) as follows: 

EXp = Op AXp = Up 

E[ipU\jf\ = pZ ■ ipV (p A OZ AlpUip] = pZ ■ fV (fi A UZ 

EGp = vZ ■ tp A Op AGp = vZ ■ p A Up 

So, the reduction technique developed later in this paper for L^{C) is directly applicable 
to XCTL(£) as well. 



3 Reduction 

In this section, we systematically decompose a multi-valued ^-calculus (L^) model- 
checking problem into several classical /r-calculus {L^{2)) model-checking problems. 
One approach to the reduction, particularly prevalent for model-checking over the algebra 
3 (e.g. [1]), is to reduce the model only, while keeping the formula the same. In the 3- 
valued case, one constructs two models, corresponding to “the best” and “the worst” 
possible behaviors, with respect to the given temporal property. Of course, the dehnition 
of “best” and “worst” depends on quantihers used in the property; further, for a property 
containing both universal and existential quantihers, one must reduce the formula as 
well! 

We start by showing that a model-checking problem for ( A, £) is reducible to sev- 
eral model-checking problems over a different logic, which we call (A, £) (Sect. 3.1). 

We then show how to change a XKripke structure so that each of the resulting problems 
can be solved using a single call to a classical model-checker on a Kripke structure 
(Sect. 3.2). We put the two reductions together and illustrate them on an example in 
Sect. 3.3. Section 3.4 summarizes consequences of the reduction and analyzes its com- 
plexity. 



3.1 Model- Checking: From Multi-valued to Boolean 

This section introduces the hrst step of the reduction, by showing that a multi-valued 
model-checking problem can be reduced to several boolean model-checking problems. 
Note that this step only changes the property, while leaving the model unchanged. 

For any De Morgan algebra £, any element f G £ is uniquely represented by the join 
of join-irreducible elements below it (Theorem 1). For any L^{C) formula p and state 
s, ||v3| |(s) is simply an element of C, so we can extend Theorem 1 to L^{C) as follows: 
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Theorem 4. Let ip be a (£) formula, and s be a state of a XKripke structure over C. 
Then ||(p||p(s) = UjeJic)U ^ (||<p||p(s) 3 j))- 

This theorem provides the basis for our reduction technique. The expression 1 1(/3| |p(s) 3 
j is interpreted over a XKripke structure, hut it always evaluates to either T or _L. Thus, 
it allows us to reduce a multi-valued model-checking problem for L^{C) to \J{C)\ 
boolean model-checking problems. 

In order to express the statement ||(/3||p(s) 3 j by a single temporal logic formula, 
we introduce the logic . 

Definition 5. Let Var be a set offixpoint variable names, Abe a set of propositions, and 
C be a De Morgan algebra. The logic L^ {A, C) is the set of formulas defined as: 

T = ZOj\T\L\p^j\-^p^j\pAp\pVp \ Qj]p I Qj)p \ uZ ■ p \ pZ ■ p 

where j G C, p G A, and Z G\/sir. 

Furthermore, in expressions Z A £i, . . . Z A we require that all algebra values be 
the same, i.e. = £j . The semantics of L^ (3, £) is given with respect to XKripke 

structures and is defined as follows: 

Definition 6. Let j be elements of £, p G A, s G S, (p,'il> G L^, and p : Var — . 
Then the function 1 1 • 1 1 : L^ x (Var — >■ £‘®) — >■ is defined as: 

imip(s)^T I|3||p(s)^T 

Ib3 jIIp(s) = l{s,p) 3 j \hp 3 j||p(s) = -'Hs,p) A j 

\\z A j\\p{s) ^ p{Z){s) A J 
\\{Aj)pUs)^U,^sm{s,t)Aj)n\\pUt)) 

||[3j]<p||p(s) ^ n,,s((R(s3) 3 j) ^ IMIp(t)) 

with the semantics of A, V, p and v operators being the same as in Definition 4. 

Finally, we show that for any L^{£) formula p, and any join-irreducible element j, 
the statement \ \p\\p 3 j is expressible in L~. 

Theorems. Let p be a Lp{£) formula, j G £f{£), and s be a state of a XKripke 
structure. Then there exists a L~ formula p jj" j, called the cut of p with respect to j, 
suchthat\\p\\p{s)Aj = 1 fr j||p(s). 

The proof of this theorem is available in the full version of this paper. As a direct 
consequence of the proof, we obtain the following procedure for constructing p j. 
Given a formula p G Lp{£) and a join-irreducible element j of jj- j is constructed 
by recursively applying the transformation • jj j that distributes over A, V, and greatest 
and least fixpoints p and u: 

Plt j = pAj (-.p) i\ j = ^pAj 

(Op) tr j = Qj){p fr j) (Dv?) fr i = pneg(j)](v3 fr j) 

For example, if p = pZ ■ p V {AZ A OT), then its cut with respect to a join-irreducible 
element T of the algebra 3 is given by 

pfiT = pZ ■ {pAT)\£ {[AM]{Z 3 T) A (3T)(T □ T)) 

Combining Theorem 4 and Theorem 5, we obtain the following theorem. 
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Theorem 6. A multi-valued model-checking problem for the logic Lf^(C) is reducible 
to J{\C\) boolean model-checking problems for L=^{C). 

3.2 Reducing 

We now show that the problem of model-checking a formula tp G on a XKripke 
structure is reducible to a single model-checking problem for classical /i-calculus (2) 
on a Kripke structure. 

Theorem 7. Let p be a L^{A,C) formula, K = (S', sq: R; 2 I, £) be a XKripke 
structure, and p be an environment. Then there exists a L^(A',2) formula T{ip), 
a Kripke structure K' = (S', Sg, K', A', 2), and an environment p' such that 
= \\T{p)\\^,' -Moreover, \S'\ is in 0{\J{C)\ x |S|). 

Thus, given an algebra C, the model-checking problem for (£) is reducible to model- 
checking a L^(2) formula at the expense of a linear increase in the size of the statespace. 
The Kripke structure K' is obtained from K by first constructing a Kripke Transition 
system (KTS) [28], treating algebra values on transitions as actions, and then converting 
the resulting KTS into a Kripke structure. 

Instead of proving Theorem 7 in the general case, we prove it for two fragments of 
L~ that are used in the reduction in Sect. 3.1. 

Temporal Logic • Let j be an element of C. Then the fragment defined to 

be the set of all formulas of L~ where only j can appear on the right-hand side of □, 
and only (3j) and [□j] are allowed. For example, uZ ■ {p □ M) V (3M)(Z □ M) is in 
L^^{{p}, 3), but {p □ T) is not. This fragment is used to reduce existential properties. 

Given a formula p G C) and a XKripke structure K = (S', sg, K, I, A, C), 

we construct a Kripke structure K' = (S, sg, M', A' , 2) as follows: 

A' = {p+ \ p G A}\J {p- \ p G A} I'{s,p+) = I{s,p) □ j 
K'(s,f) = R{s,t) □ j I'{s,p~) = -•I{s,p) □ j 

Note that K' has the same statespace as K, but twice as many propositions. For every 
proposition p G A, \t has a pair of propositions and p~ corresponding to p and -ip, 
respectively. The transition relation of K' consists of all transitions of K whose value is 
above j. The reduced formula T{p) is obtained from p by recursively removing □ j and 
replacing every occurrence of (Aj) and [□j] by O and □, respectively. For example, a 
formula p = vZ ■ {p □ j) A [Aj]{Z □ j) is reduced to T{p) = vZ A AZ. Finally, 
an environment p is replaced by p' = p □ j. The fact that | |<p| = | \T{p) \\P follows 

trivially from the construction. 

Temporal Logic Let j and i be elements of £. Then the fragment is defined to 
be the set of all formulas obtained from by replacing the universal next-time operator 

Pj] with pf]. For example, [AM]{p □ T) is in L^’^({p},3), but [3T](p □ T) is 
not. This fragment is used to reduce properties that contain both universal and existential 
next-time operators. 
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Given a formula Lp G Lj;^(A, C) and a XKripke structure K = (S', sq, R, I, A, C), 
we construct a Kripke structure K' = {S x {T, _L}, {sq, T), R', I', A' , 2) as follows: 

r{{s,a),p+) = I{s,p) □ j R'((s,a), (f,T)) = R{s,t) 3 j 

7'((s,a),p") = -^I(s,p) □ j R'((s,a), (f,_L)) = R(s,f) □ i 

/'((s, a),tvaP) = a a),tvaP) = ~<a 

A' = {p+ \ p G A} U {p~ I p G 3} U {tvaP ,tvaP} 

The Kripke structure K' can be seen as having two distinct transition relations R 3 J 

and i? □ i. To encode this, its statespace is extended to double the size of the statespace 

of K such that there exists a transition between (s, a) and (t, T) if and only if there is a 
transition between s and tmK with value above j; and there exists a transition between 
(s, a) and (f, _L) if and only if there exists a transition between s and t 'm K with value 
above i. Similarly, its set of propositions A' is extended with additional propositions 
tvaP and tvaP, where tvaP is true in a state (s, a) if and only if s is reachable by a 
transition in K with value above j, and tvaP is true if and only if s is reachable by a 
transition whose value is above i. 

The reduced formula T{ip) is obtained by eliminating all occurrences of □ j from 
(fi and replacing the temporal next-time operators (3j) and [□i] as follows: 

T{{Aj)if) = 0(tvaP A T{ip)) T{\Ai\ip) = U(tvaP T{(p)) 

Finally, an environment p is replaced by p' = p □ j. The proof that | = | \T{p) \\^, 

follows trivially from the construction. 

Note that the logic is as expressive as for XKripke structures whose transition 
relation is boolean, i.e., Vs,f G S ■ R(s,f) G {T,_L}. In this case, the operators [□j] 
and [□i] are identical for all i and j. 

3.3 Model-Checking: From Multi-valued to Classical 

Here, we combine Theorems 6 and 7 to yield the overall reduction and illustrate it on an 
example. 

Theorem 8. A multi-valued model-checking problem for the logic L^{C) is reducible 
to J{\C\) classical model-checking problems for L^{2). 

Theorem 8 leads to the following reduction algorithm. Given an L^{C) formula p and a 
XKripke structure K, for every join-irreducible j we (a) construct the j-cut p jj- j, and 
(b) use one of the reductions of Sect. 3.2 to reduce checking ||i^ jj- to a classical 
model-checking problem. The choice of the reduction to use depends on the structure 
of p: if p is existential, its cut is expressible in otherwise, it is expressible in . 

Example. To illustrate the reduction algorithm, we apply it to an existential property 
p = pZ ■ p V <>Z and state sq of the XKripke structure K shown in Fig. 2a. We start by 
constructing cuts of p with respect to the two join-irreducible elements of algebra 3: 

ptT = pZ-pATV (AT)(Z □ T) 
ptM = pZ-pAMV (AM)(Z □ M) 
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Next, for each cut (p fl" j, we construct a Kripke structure Kj and a /r-calculus formula 
corresponding to the cut. Following the construction outlined in Sect. 3.2, both cuts are 
reduced to pZ ■ V OZ. The Kripke structure iCy shown in Fig. 2b is obtained from K 
by eliminating all non-T transitions, and replacing atomic propositions by their positive 
and negative versions. For conciseness we only show positive propositions in the figure. 
Finally, we model-check the /r-calculus formula in state sq of K^. In our example, the 
property pZ ■ V OZ is true on iCy which implies that (/J fl T holds on the XKripke 
structure K, and therefore the value of the original property on iC is T: 

\\pZ ■ p+ W OZ\f^ =true 

^ II<F^T||^ = T 

^ IMI^ = T 

The case of fl- M is similar, except that Kyi is constructed from K by treating all 
non-_L transitions as T. 

For another example, let ij} he, & universal property = vZ ■ p A DZ. After 
computing the cuts and performing the reduction, we obtain vZ A DZ. The Kripke 
structure corresponding to the T -cut (see Fig. 2c) is obtained from K by treating all 
non-_L transitions as T. Model-checking the property on K'j- yields false, which implies 
that the cut ip if T evaluates to _L on the XKripke structure K, and therefore the value 
of on AT is less then T. Since the algebra 3 has only three elements, this means that 
Ip evaluates to either M or _L on it. 

||i^Z-p+ A DZII^T = false ||V>fr T||^ = _L ||V>||^ 2 T \\ip\\^ & {-L,M} 

In this particular example, the value of ip on K is M, and is obtained by checking the 
second cut, f/i fl M. □ 

Note that in the example above, the cut properties p if j for both join-irreducible 
elements were syntactically equivalent. Thus, we only had to reduce the XKripke struc- 
ture, once for each join-irreducible element. However, the Kripke structures K-f and 
ATy , corresponding to the join-irreducible T, were different: although they had the same 
statespace and the labeling function, the transition relation of A"t was that of AT^. The 
reason is that ATt and ATy were used to decide existential and universal formulas, re- 
spectively. In general, an existential part of a mixed formula should be checked over 
ATt, and its universal part - over A'y. Then the Kripke structure corresponding to the 
join-irreducible T contains transition relations of both ATt and K'j, as in the second re- 
duction in Sect. 3.2. This construction gets reflected in cut formulas, which are different 
for each join-irreducible. 

3.4 Discussion and Complexity 

We summarize the consequence of Theorem 8 for several fragments of L^{C) in Table 1 . 
The first column of the table indicates the fragment of L^{C) used to specify the property; 
the second describes the restrictions placed on XKripke structures; the third specifies 
the number of A^(2) model-checking problems required; and the last indicates the ratio 
between the size of the statespace S' of the Kripke structures used by the reduction, 
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Table 1. Reducing multi-valued model-checking to classical 



Property 


XKripke restrictions 


#ofL 32 ) 

problems 


|S'| 

|S| 




none 


l^(^)l 


2 


{T, 3} transition relation 


1 


OL^{C) 


none 


1 


^L^{C) 


none 


1 



and the statespace S of the original XKripke structure. For example, model-checking 
an arbitrary Lf^{C) property on a XKripke structure K is reducible to \J{C) \ classical 
model-checking problems, each over a Kripke structure whose statespace is twice that of 
K. On the other hand, if the property is expressed in either existential or universal frag- 
ments of L^{C), then the multi-valued model-checking problem is reducible to \J{C)\ 
classical model-checking problems, each over a Kripke structure with the statespace 
identical to the statespace of the original XKripke structure. 

Note that we have only considered reductions for the negation-free fragment L+ (£) 
of L^{C). This is not a limitation of our approach since the negation-free fragment is as 
expressive as L^{C) (Theorem 3). Alternatively, it is easy to show that | \-^^p fl" j| |(s) = 
-.||(plt neg(j)||(s) directly: 

IH<P fl 7 Ilfs) (Definition of • 'ft j) 

= lh<p||(s) 3 j (Definitionof II • II) 

= -i| |(^j j(s) □ j (Theorem 2) 

= -'(ll‘/5||(s) 3 neg(j)) (Definition of - f) j) 

= neg(j)||(s)) 

This, however, does not yield an elegant reduction algorithm. 

4 Related Work 

In this section, we compare the reduction presented in Sect. 3 to the work of others. 

Multi-valued Models (Fitting). Fitting [13,14] introduced a concept of multi-valued 
models and extended the propositional modal logic (i.e. Lfi{C) without the fixpoint 
operators) to them. In his models, the values of propositions and transitions come from 
a Heyting instead of a De Morgan algebra. 

Definition 7. [14] A Heyting algebra is a tuple (£, 3, — >■, — ). where (£, 3) is a distribu- 
tive lattice; — >■ is a relative pseudo-complement defined as a ^ b = |J{c | (cFI a) 3 b}; 
and ” is the negation operator defined as —a = a — >■ 3. 

Heyting algebras are traditionally used as models for intuitionistic logic [15], with the 
relative pseudo-complement operator —5- used to model intuitionistic implication. The 
negation operator ” satisfies the law of non-contradiction (a A —a = 3), but not 
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necessarily the law of excluded middle, the involution of negation, or any of the De 
Morgan laws. 

Since the definition of <>L^{C) only depends on the fact that C is distributive, 
it extends the propositional modal logic of [14] with the fixpoint operators. For this 
logic, the reduction from multi-valued to two-valued semantics suggested by Fitting is 
identical to ours, with the only exception that he uses an equivalent concept of proper 
prime filters [11] instead of join-irreducible elements. 

The definition of the universal next- time operator □ in [14] is the same as ours 
syntactically (II Di^l I (s) = ritg 5 (]R(s,f) ||(/?||(f))). However, Fitting interprets the 
implication operator as the relative pseudo-complement, whereas we interpret it as 
material implication. The two definitions coincide for Boolean algebras - algebras that 
are both Heyting and De Morgan. 

Definition 8. A Boolean algebra is a Heyting algebra {£, C, — — ) such that (£, C, — ) 
is a De Morgan algebra. 

The relative pseudo-complement — operator of a Boolean algebra is equivalent to the 
material implication a— & = a ^ b = —aVb. 

Note that in the special case of Boolean algebras. Theorem 2 can be strengthened as 
follows: 

Theorem 9. Let (C, be a Boolean algebra. Then for any join-irreducible ele- 
ment j & J {£), and t & C: j = 3 j) 

A stronger version of Theorem 8 for Boolean algebras is given below. 

Theorem 10. For a Boolean algebra C. multi-valued model-checking for the temporal 
logic L^{C) is reducible to \J{C) \ model-checking problems for 

That is, for a Boolean algebra £, we get \J{C)\ classical model-checking problems, 
each over a Kripke structure with the statespace identical to the statespace of K. 

Reducing Multi-valued Model- Checking to Classical Model-Checking. Konikowska 
and Penczek [23,24] introduced a multi-valued temporal logic mv-CTL*(£) - an ex- 
tension of CTL* [12] to De Morgan algebras - and defined its semantics on XKripke 
structures. An interesting consequence of their definition is that it does not preserve the 
duality of a universal path quantifier A and an existential path quantifier E. For example, 
for an mv-CTL*(£) state formula p 

\\Ap\\ (s) (Definition of 1 1 • 1 1 from [24]) 

= nies(R(s,f)n||(^||(f) 

f -iUjgg(]R(s,f) n ||-'V3||(f) (Definition of 1 1 • || from [24]) 

= ||-.F;-.v3||(s) 

The consequences of this observation are: (a) when restricted to the classical logic, 
mv-CTL*(£) is equivalent to the classical CTL* only on total Kripke structures; (b) 
contrary to the claim made in [24], the negation-free fragment of mv-CTL*(£) is less 
expressive than the full mv-CTL*(£); and (c) mv-CTL*(£) does not subsume com- 
monly used multi-valued temporal logics such as XCTL(£) and the 3-valued /i-calculus 
of[l]. 
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In [24], Konikowska and Penczek also identified sufficient conditions for reducing 
a model-checking problem for the negation-free fragment of mv-CTL* (£) into several 
mv-CTL* model-checking problems over sub-algebras of L. However, neither a proof 
of the existence of the reduction, nor a constructive algorithm for it are provided. Instead, 
the reduction is developed for three classes of De Morgan algebras: a hnite total order, 
a product of finite total orders, and a De Morgan algebra depicted in Fig. Id. Theorem 8 
in the current paper provides the missing existence proof and the reduction algorithm. 

Chechik et al. [6] developed a symbolic model-checking algorithm for XCTL(£) 
based on Binary Decision Diagrams (BDD) [3]. They showed that for a given set S 
and a De Morgan algebra C, S C functions (an mv-set in the terminology of [6]) 
can be represented and manipulated using a collection of \J{C) \ boolean functions (or 
sets). For a given mv-set Z : S' — >■ £, a set Z 'ff j of the collection corresponding to 
a join-irreducible element j G J{C) is defined as Z fl- j = {x G S | Z(x) □ j}. 
In the current paper, we have extended the reduction technique of [6] to a richer logic 
L^{C) and decoupled the reduction from any particular implementation of the model- 
checking algorithm. Thus, our reduction technique is applicable to any current or future 
algorithm for classical model-checking together with any optimizations. The particular 
implementation of Chechik et al. [6] can be seen as an application of the reduction 
technique presented in the current paper in the context of symbolic model-checking. 

Reductions for 3- Valued Reasoning. Bruns and Godefroid [2,1], Godefroid et. al [16], 
and Huth et al. [20,19] studied the problem of model-checking over the algebra 3 on a 
variety of 3-valued hnite-state transition systems. Bruns and Godefroid [1,2] investigated 
3-valued model-checking on Partial Kripke structures, where propositions are 3-valued 
but the transition relation is in {T, _L}. Godefroid et al. [16] provided an extension of 
the algorithm to Modal Transition Systems - a generalization of Labeled Transition 
Systems of [26], in which a transition relation is allowed to become 3 -valued. The 
idea is further extended by Huth et al. [20] to Kripke Modal Transition Systems which 
are equivalent to our XKripke structures when the algebra is 3. In all of these cases, 
it is shown that 3-valued model-checking is reducible to two classical model-checking 
problems. This is not surprising since all of the modeling formalisms have been shown to 
be equivalent [17]. Our logic L^(3) is equivalent to the 3-valued /i-calculus of [2,16,20] 
(and thus subsumes 3-valued CTL [1]). So the multi-valued model-checking reduction 
technique presented here can be seen as an extension of the reduction for the 3-valued 
model-checking beyond the algebra 3. 

Partial Model Checking from Multiple Viewpoints. The work of Huth and Prad- 
han [21] is the closest to ours. In this work, each of C stakeholders, arranged in a partial 
order, submits a partial model, consisting of valid (“must”) and consistent (“may”) 
statements about states and transitions. Given a first-order property, the model-checking 
problem is to determine sets of stakeholders for which the property is valid or consis- 
tent, respectively. The stakeholders correspond to join-irreducibles in our framework. 
The reduction described in [21] results in |67| single- view partial models. Verification on 
each model is performed by switching between “valid” and “consistent” interpretations 
of satishability of properties. 
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5 Conclusion 

In this paper, we studied the problem of multi-valued /i-calculus model-checking. Instead 
of solving the problem directly, we reduced it to several classical problems that can be 
solved using existing model-checking tools. The number of such problems depends on 
the number of join-irreducible elements of the logic, and each problem is linear in the 
size of the property and the model. We have also put numerous existing work in the area 
of non-classical verification into the context of our work. 

Our results enable construction of clever algorithms that use results obtained from 
classical problems and the order of join-irreducibles to minimize the number of redundant 
checks. Yet, optimality can be achieved only by solving these problems in parallel, which 
is done by “true” multi-valued model-checkers such as XChek [7]. 
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Abstract. In this paper, we present a class of infinite transition systems 
which is an extension of pushdown systems (PDS), and show that LTL 
(linear temporal logic) model checking for the class is decidable. Since 
the class is dehned as a subclass of term rewriting systems, pushdown 
stack of PDS is naturally extended to tree structure. By this extension, 
we can model recursive programs with exception handling. 



1 Introduction 

Model checking [2] is a well-known technique which automatically verifies 
whether a system satisfies a given specification. Most of existing model checking 
methods and tools assume that a system to be verified has finite state space. 
This is a serious restriction when we apply model checking to software verifica- 
tion since a program is usually modeled as a system with infinite state space. 
There are two approaches to resolving the problem. One is that if a system to 
be verified has infinite state space, then the system is transformed into an ab- 
stract system with finite state space [4,11]. However, the abstract system does 
not always retain the desirable property which the original system has, in which 
case the verification fails. 

Another approach is to introduce a new subclass of transition systems which 
is wider than finite state systems. Pushdown system (abbreviated as PDS) is 
such a subclass that is wider than finite state systems and yet has decidable 
properties on model checking. A PDS can model a system which has well-nested 
structure such as a program involving recursive procedure calls. Recently, effi- 
cient algorithms of LTL and CTL* model checking for PDS have been proposed 
in [5,6] (also see related works). The transition relation of a PDS is defined by 
transition rules which rewrite the finite control and a prefix of the string in the 
pushdown stack. Thus, if we model a program as a PDS, we are forced to define 
the behavior of the program by transition rules on strings. 

In this paper, we focus on term rewriting system (abbreviated as TRS), 
which is one of the well-known general computation models, and define the 
model checking problem for TRS. For simplicity, we consider the rewrite relation 
induced by the rewriting only at the root position of a term (root rewriting). 
Since a transition in a PDS changes the finite control and a prefix of the strings 
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in the stack, PDS can be regarded as a TRS with root rewriting. Next, a new 
subclass of TRS, called generalized-growing TRS (GG-TRS) is defined. GG- 
TRS properly includes growing TRS [17] of Nagaya and Toyama. We present 
a necessary and sufficient condition for a left-linear(LL-)GG-TRS TZ to have 
an infinite rewrite sequence which visits terms in a given set infinitely often. 
Based on this condition, we then present a condition for TZ to satisfy a given 
LTL formula <j). The latter condition is decidable if TZ has a property called pre- 
(or post-)recognizability preserving property. Lastly, we introduce a subclass of 
TRS called LL-SPO-TRS and show that every TRS in this subclass has pre- 
recognizability preserving property. Every PDS belongs to both of GG-TRS and 
LL-SPO-TRS. Furthermore, we show that a program with recursive procedure 
and exception handling can be naturally modeled as a TRS in both GG-TRS and 
LL-SPO-TRS, which is not strongly bisimilar to any PDS. In this sense, the 
decidability results on LTL model checking in this paper is an extension of the 
results in [5,6]. Detailed proofs are omitted due to space limitation (see [18]). 

Related Works. The model checking problem for PDS and the modal /x- 
calculus is studied in [24]. For LTL and GTL*, efficient model checking algo- 
rithms for PDS are proposed in [5,6]. Major applications of model checking for 
PDS are static analysis of programs and security verification. For the former, 
Esparza et al. [6] discuss an application of model checking for PDS to dataflow 
analysis of recursive programs. Some results obtained by using their verification 
tool are also reported in [7]. The first work which applies model checking of a 
pushdown-type system to security verification is Jensen et al.’s study [13], which 
introduces a safety verification problem for a program with access control which 
generalizes JDK1.2 stack inspection. Nitta et al. [19,20] improve the result of [13] 
and show that a safety verification problem is decidable for an arbitrary program 
with stack inspection. In [20], a subclass of programs which exactly represents 
programs with JDK1.2 stack inspection is proposed, for which the safety veri- 
fication problem is decidable in polynomial time of the program size. In [6], it 
is shown that LTL model checking is decidable for an arbitrary programs with 
stack inspection. Jha and Reps show that name reduction in SPKI [22] can be 
represented as a PDS, and prove the decidability of a number of security prob- 
lems by reductions to decidability properties of model checking for PDS [14]. 
Among other infinite state systems for which model checking has been studied 
are process rewrite system (PRS) [16] and ground TRS [15]. PRS includes PDS 
and Petri Net as its subclasses. However, LTL model checking is undecidable for 
both of PRS and ground TRS. 

2 Preliminaries 

2.1 Term Rewriting System 

We use the usual notions for terms, substitutions, etc (see [1] for details). Let N 
denote the set of natural numbers. Let .7^ be a signature and V be an enumerable 
set of variables. An element in T is called a function symbol and the arity of 
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f € T is denoted by arity{f). A function symbol c with arity{c) = 0 is called 
a constant. The set of terms generated by T and V is denoted by T(lF, V). 
The set of variables occurring in t is denoted by Var(t). A term t is ground if 
Var{t) = 0. The set of all ground terms is denoted by T{T). A term is linear if 
no variable occurs more than once in the term. A substitution 0 is a mapping 
from V to T(lF, V) and written as 0 = {xi i— >■ ti, . . . i— t„} where U with 
1 < z < n is a term which substitutes for the variable Xi. The term obtained 
by applying a substitution 0 to a term t is written as tO. We call t9 an instance 
of t. A position in a term t is defined as a sequence of positive integers, and 
the root position is the empty sequence denoted by A. The depth of a position 
p G {N — {0})*, written as \p\, is the length of p (e.g. |132| = 3). Let :<pref 
denote the prefix relation on positions. The set of all positions in a term t is 
denoted by Pos{t). Also let us define Pos=„(f) = {p G Pos{t) \ \p\ = n} and 
Pos>n{t) = {p G Pos{t) I IpI > n}. A subterm of t at a position p G Pos{t) is 
denoted by t\p. Pos{t, s) is the set {p \ t\p = s}. If t\p = /(• • •), then we write 
lab{t,p) = /. If a term t is obtained from a term t' by replacing the subterms 
of t' at positions pi, ■ ■ ■ ,Pm {Pi G Pos{t'),pi and pj are disjoint if z yf j) with 
terms ti, . . . , tm, respectively, then we write t = t'[pi ^ ti \ 1 < i < m]. The 
depth of a term t is max{\p\ \ p G Pos{t)}. For terms s,t, let mgu{s,t) denote 
the most general unifier of s and t if it is defined. Otherwise, let mgu{s,t) =T. 

A rewrite rule over a signature T is an ordered pair of terms in P{!F,V), 
written as I — >■ r. A term rewriting system ( TRS) over P is a finite set of rewrite 
rules over T. For terms t, t' and a TRS P, we write t -Gn t' if there exists a 
position p G Pos{t), a substitution 9 and a rewrite rule I ^ r G TZ such that 
t/p = 19 and t' = t[p G- r9]. Define to be the reflexive and transitive closure 
of -Gtz- Sometimes t t' is called a rewrite sequence. Also the transitive 
closure of -Gtz is denoted by — The subscript TZ of -Gu is omitted if TZ is 
clear from the context. A redex {in TZ) is an instance of I for some I ^ r G TZ. 
A normal form (in TZ) is a term which has no redex as its subterm. Let NFt^ 
denote the set of all ground normal forms in TZ. A rewrite rule / — >■ r is left- 
linear {resp. right-linear) if I is linear (resp. r is linear). A rewrite rule is linear if 
it is left-linear and right-linear. A TRS TZ is left-linear (resp. right-linear, linear) 
if every rule in TZ is left-linear (resp. right-linear, linear). 

2.2 Tree Automata and Recognizability 

A tree automaton{TA) [8] is defined by a 4-tuple A = {P, Q, A, where T 

is a signature, Q is a finite set of states, C Q is a set of final states, and 

Z\ is a finite set of transition rules of the form f{qi, . . . , g„) — 1- q where f G T , 
arity{f) = n, and qi, . . . ,qn,q G Q or of the form q' ^ q where q,q' G Q. 
Consider the set of ground terms T(P U Q) where we define arity{q) = 0 for 
q G Q. A transition of a TA can be regarded as a rewrite relation on T(P U Q) 
by regarding transition rules in Z\ as rewrite rules over PUQ. For terms t and t' 
in T{PU Q), we write t t' if and only if t t' . The reflexive and transitive 
closure and the transitive closure of h _4 is denoted by and respectively. 
For a TA A and t G T{P), if t qf for a final state g/ G then we say t is 
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accepted by A. The set of all ground terms in T (A) accepted by A is denoted by 
C{A) and we say that A recognizes C{A). A subset L C T{T) of ground terms 
is called a tree language. A tree language L is recognizable if there is a TA A 
such that L = C{A). 

For a TRS TZ and a tree language L, let post^{L) = {t \ 3s G L s.t. s t} 
and pre^{L) = {t \ 3s G L s.t. t — s}. A TRS TZ is said to effec- 
tively preserve post-recognizahility (abbreviated as post-PR) if, for any TA A, 
posf^{C{A)) is also recognizable and we can effectively construct a TA which 
accepts post^{C{A)). We define pre-PR in a similar way. For a TRS TZ, let 
TZ~^ = {r — >■ Z I / — >■ r G TZ}. By definition, post}^-i{L) = pre}^{L). Thus, a 
TRS TZ is pre-PR if and only if TZ~^ is post-PR. The class of recognizable tree 
languages is closed under boolean operations and the inclusion problem is de- 
cidable for the class [8]. Due to these properties, some important problems, e.g., 
reachability, joinability and local confluence are decidable for post-PR TRS [10, 
12]. However, whether a given TRS is pre-PR (post-PR) is undecidable [9], and 
decidable subclasses of pre-PR or post-PR TRS have been proposed, some of 
which are listed with inclusion relation: 

RL-SM(semi-monadic)-TRS PI C RL-GSM(generalized semi-monadic)- 
TRS C RL-FPO(finitely path overlapping)-TRS[^^] 

where RL stands for ‘right-linear.’ As a decidable subclass of pre-PR TRS, left- 
linear growing TRS (LL-G-TRS) [17] is known. A TRS 77. is a G-TRS if for every 
rule I ^ r in TZ, every variable in Var{l) fl Vor(r) appears at depth 0 or 1 in 1. 
Hence, a shallow TRS is always a G-TRS. Note that TZ is an SM-TRS if and 
only if TZ~^ is a G-TRS and the left-hand side of any rule in TZ is not a constant. 

2.3 Transition Systems and Linear Temporal Logic 

A transition system is a 3-tuple S = (S', — >-,so), where S is a (possibly infinite) 
set of states, — >-C S x S is a transition relation and sq G S is an initial state. 
The transitive closure of -G and the reflexive and transitive closure of -G are 
written by and — >■*, respectively. A run of S is an infinite sequence of states 

(7 = S 1 S 2 . . . such that Si — >■ for each i > 1. Let At = {ai,a 2 , . ■ . , Ofc} be a 

set of atomic propositions. The syntax of linear temporal logic (LTL) formula (j) 
is defined by 

(f) ::= tt \ ai \ ^4) \ (j>i /\ (f)i \ Xcj) \ 4>ild4>2 

{1 <i <k and 4>\, 4>2 are LTL formulas). For a transition system S = (5, — >■, sq), 
a valuation of 5 is a function v \ At ^ 2^ . The validity of an LTL formula (j) for 
a run cr = S1S2 . . . w.r.t. a valuation v is denoted by a \='^ (j), and defined in the 
standard way [2]. We say (j) is valid at s w.r.t. v, denoted as s \='' 4>, if and only 
if cr \=^ (j) for each run a starting in s. 

2.4 Model Checking for TRS 

Given a TRS TZ over a signature T and a term to G 'T(tF), we can define a 
transition system Sn = {T{X),^SkAo) where — >-5 ^=— U{(t,7) | t G NFt^}. 
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Note that the reflexive relation \ t G NFt^} is needed to make the transition 
relation — 1-5^ total. The validity of LTL formula (p at to S-n w.r.t. v : At ^ 
is denoted as TZ, to From an LTL formula p, we can construct a 

Biichi automaton which recognizes the set of models of -<p. Therefore, we often 
assume that we are given a Biichi automaton instead of an LTL formula. In a 
similar way to the model checking method in [6], we define a Biichi TRS which 
synchronizes a transition system Stz given by a TRS TZ with a Biichi automaton 
B. First, to make the definition constructive, we make a few observations. To 
synchronize S-n with B, we must construct a Biichi TRS so that the redex can 
keep track of the information on the current state of B and the valuation of the 
current term of Stz- However, if we allow an arbitrary redex to be rewritten, 
transmitting the above information to the next redex in the Biichi TRS becomes 
difficult. For this reason, we consider root rewriting, which restricts rewriting 
positions to the root position. 

Definition 1. (Root Rewriting) For terms t, t' and a TRS TZ, we say t -Gn t' 
is root rewriting, if there exist a substitution 9 and a rewrite rule I ^ r G TZ 
such that t = 19 and t' = r9. I 

If we consider root rewriting, it is not difficult to see that there effectively 
exists a TRS of which the rewrite relation exactly corresponds to Let 

{Hi, . . . ,Am} be a set of terms in T{iF,V) such that NFt^ = I ^ ■ 

V — 1- T{iF) is a substitution}, and mgu{Ai, Aj) = T(1 < i < j < m). Also, let 
TZ = TZD {Ai -G Ai \ 1 < i < m}. Then, t G NFt^ if and only if there exists a 
unique Ai such that t — >■— t — >■— • • • where Ai -G Ai is applied in each rewrite 
step. Hence, we know — >-5^=— >■—, i.e., the transition relation — >-5^ of Sn can be 
induced by TRS TZ. Next, we extend the definitions of valuations of PDS [5,6]. 

Definition 2. (Simple Valuation) 

Let yL \ At ^ T{iF, V) he a function such that for each a G At and I ^ r G TZ, 
mgu{l, fi{a)) = I or =T. The simple valuation v \ At ^ given by p, is 

defined as v{a) = {p{a)9 \ 9 is a substitution} . I 

In the definition, p{a) specifies a pattern of terms for which proposition a is 
true. For example, if p{ai) = f{x,g{y)) then TZ,t \='^ a\ if and only if t is an 
instance of f{x,g{y)). The restriction that mgu{l,p{a)) = I or =T guarantees 
that for a rewrite rule I ^ r, whether TZ,19 \='^ a is determined independent of 
a substitution 9. 

Definition 3. (Regular Valuation) 

For each atomic proposition a G At, a TA Aa is given. The regular valuation 

V : At -G given by is defined as i^{a) = C{Aa). | 

Definition 3 says that TZ,t \='' a if and only if t is accepted by Aa. This is a 
natural extension of regular valuation v of PDS, where a configuration {q,w) is 
a pair of a control location q and a sequence w of stack symbols and {q, w) \='^ a 
if and only if the sequence qw is accepted by a finite state automaton Aa given 
for a. 
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Definition 4. (Biichi TRS) Let At be a set of atomic propositions, TZ he a 
TRS, B = {Qb, S]g, Ai 3 ,qQig, Qg“) (Eb = 2^*, QbAE = %) he a Biichi automa- 
ton, and V be the simple valuation given by iJ. : At ^ T{iF, V). For TZ, B and v, we 
define Biichi TRS BTZ'^ as follows: The signature of BTZ'' is Tb-R" = QbA T (for 
any q G Qb, arity{q) = 1), and BTZ^ is the minimum set of rules satisfying: 
q q' G Ab, I ^ r G TZ, and aQ {a G At\ mgu{l, fr{a)) = 1} 

^ q{l) -G q'{r) G BTZ'' . * 

If V is regular, then we can reduce a model checking problem w.r.t. to a model 
checking problem w.r.t. a simple valuation in a similar way to [6]. 

Lemma 1. Let TZ be a TRS, to G T{iF) be an initial state, (j) he an LTL formula, 
B = (Qb, L’g, Z\g, (Job, Qg“) (Eb = 2^*, Qb niF = 0j be a Biichi automaton 
which represents ->4>, and v be the simple valuation given by p, \ At ^ T{iF,V). 
Also, let Ta.cc = {qa{t) \ qa G Qb^" A G T {T)} . TZ,to (j) if and only if there 
exists an infinite root rewrite sequence of Biichi TRS BTZ'^ starting in (Job(^o) 
and visiting Tacc infinitely often. I 

3 Generalized-Growing TRS and Its Model Checking 

The restriction of root rewriting (Definition 1) on TRS TZ is insufficient to make 
the model checking problem for TZ decidable, because root rewriting TRSs are 
still Turing powerful. In fact, we can define an automaton with two pushdown 
stacks (which is Turing powerful) as a left-linear root rewriting TRS by encoding 
a state of the finite control as a root symbol q with arity 2 and each of the 
two stacks as each argument of q. The reason why root rewriting TRSs are 
Turing powerful is unrestricted information flow between different arguments of 
a function symbol such as q above. We introduce a subclass of TRS, called LL- 
GG-TRS, in which the information of (function symbol in) an argument is never 
shifted to another argument, and show that if an LL-GG-TRS TZ is post-PR (or 
pre-PR), then LTL model checking for TZ is decidable. For positions pi,P 2 , we 
define the least common ancestor pi U p 2 as the longest common prefix of pi and 
P2- 

Definition 5. (Left-Linear Generalized- Growing TRS (LL-GG-TRS)) 

A left-linear rule I ^ r is generalized- growing, if every two different variables 
x,y G Var{l) fl Var{r) satisfy the following condition: For the positions of, of of 
x,y ini and for each positions of G Pos(r,x),of G Pos(r,y) of x,y in r, 

\of\-\ofUof\ < \of\-\ofUoy\, and\of\-\ofUof\ < \of.\- \ofU of]. 

TZ is left-linear generalized- growing (LL-GG), if every rule in TRS TZ is left- 
linear and generalized-growing. I 

Obviously, an LL-G-TRS (see Sect. 2.2) is always an LL-GG-TRS. 

Example 1. Gonsider TZ\ = { f{g{x,y)) -G f{h{y),x) }. The position of x is 11 
in I and 2 in r, and the position of y is 12 in I and 11 in r. Since 11 U 12 = 1 and 
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void mainO { 

LO: switch (random_integer) { 

case 0: 

LI: mainO ; 

break; 
case 1: 

L2 : try { 

L3: mainO; 

} catch (e) { => 

L4: nop; 

} 

break; 
case 2: 

L5 : throw e ; 

} 

L6 : return ; 

} 



7^2 ={ 



Lo{x,y) - 


■^Li{x,y), 






Lo(x,y) - 


■^L2(x,y), 






Lo(x,y) - 


-5-1/5 (a:, 2/), 


> 


: seq 


Lo(x,y) - 


-5- Laix,y), 






L*{x,y) - 


■^La{x,y), ^ 






L&{x,y) - 


X, 




: ret 


Lsix,y) - 






: throw 


Li{x,y) - 


Lo{Le{x,y),y)A 


: call 


L3(x,y) - 


Lo(Lfiix,y),y), j 


L2(x,y) - 


-5- Lsix,L4ix,y)) 


: try-catch 



Fig. 1. A sample program with exception handling 



2U11 = A, 7^1 is an LL-GG-TRS, but TZi is not an LL-G-TRS because variables x 
and y occur at depth 2 in 1. On the other hand, = { f{h{y),x) — >■ f{g{x, y)) } 
is not an LL-GG-TRS, since the difference of the depth of positions in I between 
y and the least common ancestor of x and y is larger than that in r. I 

Example 2. (Recursive Program with Exception Handling) 

It is well-known that a program with recursive procedure can be naturally mod- 
eled as a PDS, and further in [21], a PDS model of Java-like programs including 
exception handling was proposed. In this model, the exception handling mech- 
anism is implemented by adding extra control states and rules which represent 
low-level operations of the execution environment. On the other hand, in this 
example, we present an LL-GG-TRS model of recursive programs, which is closer 
to the behavioral semantics incorporated with exception handling in the source 
code level. For example, a Java- like program in the left half of Fig. 1 can be 
directly modeled as an LL-GG-TRS 7^2 shown in the right half. Note that the 
class LL-GG-TRS is properly wider than the class of PDSs w.r.t. strong bisimu- 
lation equivalence, and 7^2 is an example of LL-GG-TRS which has no strongly 
bisimilar PDS [18]. In a Java program, try-catch-throw statements are used for 
specifying exception handling. By the execution of a throw statement, an excep- 
tion is propagated in the program. If an exception occurs within a try block, 
then the control immediately moves to the catch statement coupled with the try 
statement (with unwinding the control stack). From a program Prog including 
try-catch-throw statements, we can construct an LL-GG-TRS TZ as follows. In 
TZ, every term t has the form of /(ti,t 2 ) where / denotes the current program 
location of Prog, ti denotes the next state of 7 if a return statement is executed 
at t, and 72 denotes the next state of 7 if an exception occurs at 7. A constant 
symbol □ denotes the stack bottom. Every unit execution of Prog belongs to one 
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of the five types, seq, call, ret, try-catch and throw, and is translated into 
one of the following rules according to its type: 

seq: current{x,y) — >■ succ{x,y), 
call: caller{x,y) — >■ callee{succ{x,y),y), 
ret: ret{x, y) — >■ x, 

try-catch: try{x,y) — >■ succ{x,catch{x,y)), 
throw: throw{x, y) — >■ y. 

A seq rule and a call rule represent a sequential execution in a method and a 
method invocation, respectively. A try- catch rule represents the behavior of a 
try-catch block, where succ is the entry point of the try block and catch is the 
entry point of the catch block. A ret rule and a throw rule represent a return 
statement and a throw statement, respectively. It is interesting to recognize a 
symmetry between (call, ret) rules and (try-catch, throw) rules. Recall the 
program in Fig. 1. Since the statement at L2 is try, the entry point of the try block 
is L3, and the entry point of the catch block is L4, L 2 {x,y) — >■ L^{x,Lji{x,y)) € 
T^2- I 



In the following, we only consider root rewrite sequences consisting of ground 
terms. The first lemma for LL-GG-TRS states that for any root rewrite sequence 
cr if there exists a position oq in the first term to of a such that the depth of (a 
residual of) oq is never shortened in a, then for every ‘sufficiently deep’ position 
Po in to, every residual of po never be contained in any redex. For a TRS TZ, 
let maXv{TZ) be the maximum depth of positions of variables in the left-hand 
sides of rules in TZ, and maxf {TZ) be the maximum depth of positions of function 
symbols in both sides of rules in TZ. For a rewrite sequence cr and 

p G Pos{t), the set of residuals of p in a, denoted as Res{p,a), is defined as 
follows. Res{p, t — t) = {p}. Assume t = W rO = t' for a rule I — >■ r and a 
substitution 9. 



Res{p,t -P-R. t') 



{p'iP 2 I =x}iip = piP 2 and = x £ Var{l), 
0 otherwise. 



For a rewrite sequence t — t' t" , Res{p, t — t' t") = {p" \ p' £ 

Res{p,t — t') andp" G Res{p',t' -^ r . t”)}. We abbreviate Res{p,t — t') as 
Res{p, t') if the sequence t' is clear from the context. 

Lemma 2. LetTZ be an LL-GG-TRS and c = maXv{TZ)-\-maxf{TZ)-\-l. Also let 
cr = to ti ~^TZ • • ■ tk-i ~^TZ tk tk+i of TZ be a root rewrite sequence 
and oo £ Pos(to) be a position. Lf there exists a position Oi £ Res{oo,ti) such 
that |oo| < \oi\ for eachi{l <i<k), then every position po G Pos>c{to) satisfies 
the following (a) and (b): 

(a) For an arbitrary pk £ Res{po,tk), 

\pk\ - \ok U pk\ > \po\ - |oo LI Pol and \pk\ > maxf{TZ). 
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(b) For an arbitrary s G T{iF), 



to[Po ■i” s] tk+i[Res{po,tk+i) -i— s]. 



Proof Sketch, (a) By induction on the length k of a (see [18] for the detail), (b) 
By (a), each pi G Res{po,ti){0 < i < k) satisfies jpij > maxf{TZ). Hence, we can 
construct a rewrite sequence starting in to[Po s], applying the rules in the 
same order as ct. I 

The next lemma states that for any infinite root rewrite sequence a of an LL- 
GG-TRS and any term t„ in cr, one can find a term tm after tn such that every 
‘sufficiently deep’ position in t^ does not affect the rewrite sequence after tm- 

Definition 6 . (Longest-Living Position) Let to ■ ■ ■ be a rewrite 

sequence and oq G Pos{to) be a position. The lifetime of oq (in to) is defined as 
k, if there exists k such that Res{oo,ti) (0 < i < k) and Res{oo,ti) = 0 
(i> k). Otherwise (Res{oo,ti) % for any i > 0 ^, the lifetime ofoo is undefined. 
A position which has the maximum lifetime in to is called the longest-living 
position, if the lifetime of every position in to is defined. 

Lemma 3. Let TZ be an LL-GG-TRS and c = maXy{TZ) + maxf{TZ) + 1. // there 
exists an infinite root rewrite sequence a = to ~^n ti ~^n • • • of TZ, then for 
any n > 0, there exists m > n such that for every Pm G Pos>c{tm)> k > m and 
s G T{T), tm[Pm ^ s] tk[Res{pm-,tk) ^ s] holds. 

Proof Sketch. Assume that there exists a position in t„ of which the lifetime 
is undefined (the proof for the other case is given in [18]). Let pi be the deepest 
residual of in U{i > n), and m be the minimum j(> n) such that \pj \ < |pi| 
for each i{> j). Note that m is always defined since — >- 7 ^ — >- 7 ^ ... is an 

infinite sequence. Also, tm tm+i ■ ■ ■ and Pm satisfy the hypothesis of 
Lemma 2. Hence, by Lemma 2(b), the lemma holds. I 

Definition 7. (Inclusion Order □„) The inclusion order 3a w.r.t. constant 
a is the least relation satisfying the following condition: 

— For any term t, t 3a a. 

- Ifh 3a t(,t2 3a t' 2 ,...tn 3o 4, then /(G , t2 , ■ • • 3«) 3a /(t'l , t'a , ■ . ■ , t'„) . | 

In the rest of this section, we assume a is a new constant which is not a member 
of IF. For a term t G T{T U {a}), let |t|a denote |Pos(t, a)|. When a tuple of 
terms 6 = (0i,...,0„) G T'^{T G {a}) is given where n = |t|a, let tO denote 
t[pi ^ 07 I 1 < i < n] for Pos{t,a) = {pi,...,p„}, by slightly abusing the 
notation. The following lemma states that every infinite root rewrite sequence 
of an LL-GG-TRS has a kind of cyclic property. 

Lemma 4. Let TZ be an LL-GG-TRS and c = maXv{TZ) -\- maxf{TZ) -\- 1. For an 
infinite root rewrite sequence a = to ~^n t\ ■ ■ ■ of TZ, there exist a term 
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€ T(^U {a})(n = |tR|a) of which the depth is c or less and tuples of terms 
6 € T"(^U{a}),0' € such that t^ S pre*({iR0}) and to € pre*({tji0'}) 

hold. 

Let Tg Q \J {a}) he a set of terms, which is downward-closed w.r.t Qa- 
If terms in To appear infinitely often in a, then ^r € pre*{Ta H pre^{{t^9})) 
and to G pre*({tR0'}) hold. 

Proof. We define an infinite sequence (Tq, ci, (T 2 , . . . of infinite sequences and a 
function f : N ^ N as follows (Fig. 2). The fcth element of Ci is denoted as 

— l = 0: (To = cr. 

— i > 0: /*(0) is defined as m in Lemma 3 when infinite root rewrite sequence 
(Ji-i and n = /*“^(0) are given. (Ji{k) is defined according to k as follows: 

• k < /®(0): CTi(fc) is undefined. 

• k = f{0): 

(Ji{k) = ai-i{k)[Pos=c{cri-i{k)) G- a]. (3.1) 

• k > p{0): By the definition of /*(0), we can use Lemma 3 and obtain: 

(7,_i(r(0))[Pos=e(a._i(r(0)))^o] ^^(7,_i(fc)[r’'=^a], (3.2) 

where: 

= i?es(Pos=c(o-*-i(/*(0))),cri-i(A:)) C Pos> 

{maxf{TZ)-\-l M-iik))- 

Now, let 

(Ti(A:) = (Ti_i(fc)[P*’'" a], (3.3) 

then (3.2) can be written as (Tj(/®(0)) — (Ti(fc) by (3.1). 

For the infinite sequence (Tq, CTi, (T 2 , . . ., 

Mk) 3a <Ji{k) 3a (72(fc) 3a ‘ ‘ ‘ 3a <J,{k) {f{0) <k< f + \0)) (3.4) 

holds by (3.3). Now, we consider the infinite sequence (Ti(/(0)), (T2(/^(0)), ... by 
picking up the ‘diagonal’ terms. Then, the depths of these terms are always c or 
less. By this fact, we can see that there exist an integer i and an infinite sequence 
i < jo < ji < j 2 < • • • of numbers such that for every jh{h > 0), 

= (3.5) 

By (3.4) and (3.5), a^{f{0)) Ea cr*(/^“(0)). Hence, for Ir = ai{f{0)), there ex- 
ists 9 G T"(PU{a}) such that <Ji{f^°{0)) = tu9. Since (7i(/*(0)) — fTi(/.^“(0)), 
tR G pre*(\t^9}) holds. Similarly, by (3.4), we can obtain (jj(/T0))(= Ir) Ea 
CTo(/i(0))(= tR0') for some 9' G T"(P), and thus (To(0)(= to) e pre*({tR6>'}) 
holds. By (3.1), the depth of tR is c or less. Next, we consider the case that 
terms in 7 g appear infinitely often in a. We can easily see that there exist 

integers l,m and ao{l) G 7g such that /*(0) < I < f^”'{0) holds. By (3.4), 

(To(0 3o CTi(t), and thus ai{l) G To because 7 g is a downward-closed set. On 
the other hand, since tR = (Ti(/*(0)) — ai{l) — fTi(/^'” (0)), we can obtain 
0Ti{l) G 7g O pre+({tR0}) and Ir G pre* {{ai{l)}) in a similar way to the above 

case. Hence, tR G pre*{Tc O pre+({tR0})). I 
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(7o(0) (7o(f(0)) (7n(f(0)+l) 




,.-'ai(f(o oi(f(0)+i)-- oi(f(f(0))) oi(f (f (0) )+i) 




Fig. 2. Proof of Lemma 5: infinite seqnence (tq, cti, • • • 



Theorem 1. Let TZ be an LL-GG-TRS and c = maXv{TZ) + maxf{TZ) + 1. Let 
Tg Q T{tF U {a}) be a set of terms, which is upward-closed and downward- 
closed w.r.t Co- There exists an infinite root rewrite sequence of TZ starting 
in to in which terms in To appear infinitely often if and only if there exist 
tpi, G T(iFU {aDf'lfR.lo = n) of which the depth is c or less and tuples of terms 
9 G \J {a}),9' G T^{iF) such that G pre* (T g L\ pre~^ {{tu9})) and 

to G pre* ({t^6'}) (or equivalently, t^6 G post~^ (post* ({ 1 ^,}) Cl 7g) and tB_d' G 
post* ({to}) ) hold. 

Proof. The only z/part of this theorem follows from Lemma 4. 

The z/part is proved as follows. If to G pre*({tR0'}) and tu. G pre*(TG H 
pre+({tR0})), then there exists a term to £ Tg such that tR G pre*({tG}) and 
tc G pre+({tR0}) hold. By these facts, we can construct infinite root rewrite 
sequence to — t^iO' — t^O' — t^OO^ — yij^ tYi9‘^9' — y}^ * • *, 
where 9' = (9[, ... , 9() and 99' is a term obtained by replacing a in 0 by one of 
9'i,..., 9'^. Since to9''9' Mo tc and Tg is upward-closed, tc9*'9' G Tg- Therefore, 
terms in Tg appear infinitely often in the above sequence. I 

Theorem 2. Let TZ be an LL-GG-TRS, to G T(T), (j) be an LTL formula, v be 
a simple valuation. There exists a term tR G {q(t') \ q G Qb,T G T(TU {a})} 
of which the depth is c or less, and 

TZ,to tR G Pt-ejg.^,](7;cc npref^.^,](7j)) and qoB(to) G (7r) 

post (post ({tR} ) n Ts,cc) fl 7 r yf 0 

and 7Rnpost[g.^,]({goB(io)}) 7 ^ 0 , 

where B is a Biichi automaton representing ->4>, qoB and are the initial 

state and accepting states of B, 71cc = {<7a(t) | 9a G ,t G T(T \J {a})}, 
Tr = {tR0 I 9 G T*'(T)}, Ti = {tR0 I 9 G T*^(T U {a})}. 
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Proof. If TZ is an LL-GG-TRS, then BTZ'' is also an LL-GG-TRS. TIcc is upward- 
closed and downward-closed w.r.t 'Qa- Therefore, by Lemma 1 and Theorem 1 , 
the theorem holds. I 

Corollary 1. Let TZ be an LL-GG-TRS, to G T{T), 4> be an LTL formula, v be 
a simple valuation. Lf BTZ'^ is pre-PR or post-PR, then TZ,to \='' 4> is decidable. 

Proof. The corollary follows from the facts that the number of candidates for 
in Theorem 2 is finite, that we can construct TAs which recognize Ta.cc, {qoB{to)}, 
Tr and 7 J. I 

4 Computing pre* 

By Gorollary 1 , if an LL-GG-TRS TZ is post-PR or pre-PR, then LTL model 
checking for TZ is decidable. Unfortunately, an LL-GG-TRS is not always post- 
PR. For example, TZ = {f{x,y) — >■ f{g{x),g{y))} is an LL-GG-TRS. However, 
pospj^{{f{a,a)}) is not recognizable and thus TZ is not post-PR. It is unknown 
whether every LL-GG-TRS is pre-PR. In this section, we propose a decidable 
subclass of pre-PR TRS. Let TZhea, TRS. By the definition of pre-PR, for a given 
TA A, if we can extend A so that t -Gn s G pre^{C{A)) implies t G pre^{C{A)) 
(backward closedness w.r.t.— >-7?,) then TZ is pre-PR. This requires us to add to 
A new states and transition rules to satisfy the condition that t -Gn s q 
implies t q. For example, let f{g{x,y)) — >■ g{h{y),x) G TZ, t = f{g{a,b)), 
s = f{h{b),a), and s f{h{q 2 ),qi) q for states <71,(72 and <7 of a TA A. Note 
that t -G’tz s with substitution 9 = {x a,y i-G- b}. Then, we add the following 
states and transition rules to A so that t q. 

states: {g{qi,q2)), {f{g{qi,q2)))- 

rules: 5(91,52) (5(91,92)), /(( 5 (?i, 92))) (/( 5 ( 9 i, 92))), (/( 5 ( 9 i, 92))) 9 - 

That is, we use a subterm of the left-hand side of the rewrite rule as a state 
to keep track of the position where the head of A is located. However, states 
substituted into variables such as 91,92,9 above may recursively be subterms, 
and hence the above construction does not always halt. The condition for a TRS 
TZ to be an LL-SPO-TRS stated below is a condition for TZ not to have a kind of 
overlapping between subterms of rewrite rules, which guarantees that the above 
construction always halts. 

4.1 LL-SPO-TRS 

For an ordinary rewrite relation not limited to root rewriting, LL-FPO”^-TRS 
is known as a decidable subclass of pre-PR TRS (see Sect. 2 . 2 ). Based on the 
definition of LL-FPO“^-TRS, we define a new subclass called LL-SPO-TRS and 
show that every LL-SPO-TRS is pre-PR with respect to root rewriting. 

Definition 8. (Sticking Out Relation) 

Let s and t be terms in T{TF,V). We say s sticks out of t if t ^ V and there 
exists a position Oyar G Posft) (lab(t, Oyar) & TJ such that 
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~ for any positions o (X <pref o <pref Oyar), o G Pos{s) and lab{s, o) = 
lab{t,o), and 

— Oyar G Pos{s) and is not a ground term. 

When the position Oyar is of interest, we say that s sticks out oft at Oyar- If 
s sticks out of t at Oyar and lab{s, Oyar) is not a variable, then we say that s 
properly sticks out oft (at Oyar)- I 

For example, f{g{x),a) sticks out of f{g{y),b) at 11 and f{g{g{x)),a) properly 
sticks out of f{g{y), b) at 11. Remember that a configuration of a PDS is a pair 
{q, w) of a control location (finite control) q and a sequence w of symbols stored 
in the pushdown stack. In the rest of this section, we assume that a signature 
T is decomposed into II and S, that is, P = II U P and II E = %. For each 
7T G 17, we assume arity{Ti) = 1. Each it G II is called a control symbol and each 
f G E is called a data symbol. 

Definition 9. (Simply Path Overlapping TRS (SPO-TRS)) 

A TRS TZ is SPO if every rule in TZ has the form either tt\{1) -G 7T2(r), tti{ 1) -G r 
or I ^ r where G II and l,r G T{E,V), and the sticking-out graph G-jz of 

TZ has no cycle with weight one or more. The sticking-out graph of a TRS TZ is 
a weighted directed graph Gqz = {TZ, E). Let Vi A- t >2 denote a directed edge from 
a node vi to a node V 2 with weight i. E is defined as follows. Let vi : h ^ ri 
(or 7Tii(li) — >■ ri or 7Tii(Ii) — >■ TTi 2 {ri)) and V 2 ■ h ^ ^’2 (or tt 2 i{ 12 ) — >■ ^’2 or 
7!"2i(^2) — 1- '!^ 22 {i~ 2 )) be rulcs in TZ. Replace each variable in Vor(?i)\Var(ri) or 
Var{l 2 )\Var{r 2 ) with a constant not in T , say o. 

(1) If li properly sticks out of r 2 , then Vi ^ V 2 G E. 

(2) If V 2 sticks out ofli, then v\ V 2 G E . I 

If TZ is an LL-SPO-TRS, then for any TA A, we can construct a TA A* such 
that £(A*) = preTj^{C{A)) (see [18]). That is, every LL-SPO-TRS is pre-PR. 

Theorem 3. For every recognizable tree language L and LL-SPO-TRS TZ, 
pre^{L) is also recognizable. I 

Corollary 2. Assume tg G T{P), (f is an LTL formula and v is a simple valu- 
ation. IfTZ G LL-GG-TRS fl SPO-TRS, then TZ,to \='' (f is decidable. 

Proof Let B = (Qb, Es, L\g, qos, Qg“) be a Biichi automaton representing -uj) 
and n be the set of control symbols of TZ. Consider the construction of Biichi 
TRS BTZ'' from TZ, B and v. If TZ is an SPO-TRS, then by constructing (q,p){l) -G 
W ^p' ){'>’) G instead of q{p{l)) q'{p'{i')) G BTZ'' for each rule p{l) -G 

p'{r) G TZ {p,p' G P), BTZ'' becomes an SPO-TRS. By Corollary 1 and Theorem 
3, TZ,to \='' (f is decidable. I 

4.2 Application 

As mentioned in Sect. 3, we can model a recursive program with exception 
handling by an LL-GG-TRS. If the LL-GG-TRS is always an SPO-TRS, then 
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LTL model checking 
is decidable 



Fig. 3. The relation between TRS subclasses 



LTL model checking for the TRS is decidable. Recall TZ 2 in Example 2. Since for 
any two rules — >■ ri and I 2 — >■ T 2 in 7^2) h never properly sticks out of V 2 , 7^2 

is an SPO-TRS. Similarly, we can easily see that every LL-GG-TRS constructed 
by the method in Example 2 is always an SPO-TRS. Thus, LTL model checking 
problem is decidable for recursive programs with exception handling. 

5 Conclusion 

In this paper, we introduced two classes of TRS, LL-GG-TRS and SPO-TRS, 
and showed that for a TRS in LL-GG-TRS O SPO-TRS, LTL model checking 
is decidable. Since every PDS is a member of LL-GG-TRS O SPO-TRS, this 
model checking is considered as an extension of LTL model checking for PDS. 
In fact, a recursive program with exception handling can be modeled as a TRS 
to which this model checking method can be applied and to which no PDS is 
strongly bisimilar. 

We can reduce some decision problems of TRS to LTL model checking prob- 
lems. For example, let be a regular valuation and a^F be an atomic propo- 
sition such that v{aNF) = NFt^. Whether there exists no infinite rewrite se- 
quence starting in tg (strongly normalizing) is checked by TZ, tg \='^ 0{affp), and 
whether there exists a finite rewrite sequence starting in tg (weakly normalizing) 
is checked by TZ,to □(-ia]vii’). 

The following problems remain as future study: 

— finding a wider subclass of TRS in which LTL model checking is solvable, 

— developing an efficient LTL model checking method w.r.t. regular valuation, 

— and finding other applications of this model checking method. 
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Abstract. We define a new notation called netcharts for describing sets 
of message sequence chart scenarios (MSCs). Netcharts correspond to a 
distributed version of High-level Message Sequence Charts (HMSCs). 
Netcharts improve on HMSCs in two respects. 

(i) Netcharts admit a natural and direct translation into communicat- 
ing finite-state machines, unlike HMSCs, for which the realization 
problem is nontrivial. 

(ii) Netcharts can describe all regular MSC languages (sets of MSCs in 
which channel capacities have a finite upper bound), unlike HMSCs, 
which can only describe finitely-generated regular MSC languages. 



1 Introduction 

Message sequence charts (MSCs) are an appealing visual formalism used to cap- 
ture system requirements in the early stages of design. They are particularly 
suited for describing scenarios for distributed telecommunication software [10, 
15]. They also appear in the literature as sequence diagrams, message flow di- 
agrams and object interaction diagrams and are used in a number of software 
engineering methodologies including UML [3,7,15]. In its basic form, an MSC 
depicts the exchange of messages between the processes of a distributed system 
along a single partially-ordered execution. A collection of MSCs is used to cap- 
ture the scenarios that a designer might want the system to exhibit (or avoid). 

Given the requirements in the form of MSCs, one can hope to discover errors 
at the early stages of design. One question that naturally arises in this context is: 
What constitutes a reasonable collection of MSCs on which one can hope to do 
formal analysis? In [9] , the notion of a regular collection of MSCs is introduced 
and shown to be robust in terms of logical and automata-theoretic characteri- 
zations. In particular, regular collections of MSCs can be implemented using a 
natural model of message-passing automata with bounded queues [12]. 

A standard way to specify a set of MSCs is to use a High-level Message 
Sequence Chart (HMSC) [10,11]. An HMSC is a finite directed graph in which 
each node is itself labelled by an HMSC, with a finite level of nesting. 

HMSCs are an attractive visual formalism for describing collections of MSCs. 
An HMSC is not, however, an executable model. To obtain one, one must extract 
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from the inter-object specification provided by an HMSC, an intra-object spec- 
ification (say in the form of a finite state automaton) for each process together 
with a communication mechanism. This is non-trivial because the structure of 
an HMSC provides implicit global control over the behaviour of the processes 
in the system. This allows for specifications that are not realizable in prac- 
tice because of un-implement able global choices. Even for the class of so-called 
bounded HMSCs [2], the problem of realizing them as, say, a network of finite 
state automata communicating via bounded queues is non-trivial. Admittedly, 
the sub-class of bounded HMSCs that are weakly realizable can implemented 
easily, but this is an undecidable property of bounded HMSCs! [1]. A detailed 
study of the realization problems associated with HMSCs can be found in [4]. 

HMSCs also have a limitation with respect to expressiveness — they can only 
describe finitely generated MSC languages. But there are natural regular MSC 
languages, such as the set of scenarios corresponding to the alternating bit pro- 
tocol, that are not finitely generated [6]. 

In this paper, we introduce a new visual formalism for specifying collections 
of MSCs, called netcharts. Netcharts are distributed versions of HMSCs in much 
the same way that Petri nets are distributed versions of finite-state automata. 
Netcharts improve on HMSCs in two respects. First, due to their natural — 
control flow — semantics, netcharts can be directly translated into communicat- 
ing finite-state machines. In this sense the “realization” problem for netcharts is 
easy. Second, netcharts can describe all regular MSC languages, including those 
that are not finitely-generated. 

An important aspect of the netchart model is that the compound MSCs that 
are defined by a netchart are built up from “complete” MSCs. As a result, this 
formalism can be used to capture system requirements in an intuitive fashion. 
The distributed structure allows these scenarios to be intertwined together to 
form complicated new scenarios. 

The netchart model is related to Communication Transaction Processes 
(CTP) [14] . The main difference is that in a CTP, each transition in the high-level 
control flow model is labelled as a guarded choice of MSCs, where the guards 
are formed using atomic propositions associated with the processes. The focus in 
the study of the CTP model is the modelling of complex non-atomic interactions 
between communicating processes and not on the collections of MSCs that are 
definable. A second piece of related work is [16] in which it is suggested that 
the transitions of a 1-safe Petri net be labelled by arbitrary MSCs. The realiza- 
tion problem for this model is also difficult and the authors propose a number 
of restrictions for their model and study the realization problem in terms of 
composing a fixed set of basic Petri net templates to obtain a Petri net model. 

The paper is organized as follows. After some background on MSCs and 
HMSCs, we introduce the netchart model in Sect. 3. In Sect. 4, we show how 
to transform netcharts into message-passing automata. Next, we discuss when 
a netchart definable MSC language is regular. Sect. 6 compares the expressive 
power of HMSCs and netcharts. In Sect. 7, we show that netcharts can describe 
all regular MSC languages. 
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2 Background 

2.1 Message Sequence Charts 

Throughout this paper, we let V denote a finite set of processes. A message 
sequence chart (MSC) over P is a graphical representation of a pattern of inter- 
actions (often called a scenario) consisting of an exchange of messages between 
the processes in V. In an MSC, each process is represented by a vertical line with 
time flowing from top to bottom. Messages are drawn as directed edges from the 
source process to the target process, with an annotation denoting the message 
type, if any. In addition, internal events are marked along the process lines. 

Figure 1 is an MSC involving processes {_Pi,P 2 ,P 3 }- In this scenario, clients pi 
and P 3 both request a resource from the server, p 2 ■ The server p 2 first responds 
to P 3 . After p 3 notifies p 2 that it has returned the resource, p^ hands over the 
resource to p\, but this message crosses a “reminder” from p\ to pz- 



Pl P2 P3 




Fig. 1. An MSC 



The semantics of an MSC is given in terms of labelled partial orders. Formally, 

an MSC over V is a structure M = {E, <, r, (/?, tt), where: 

(i) A is a finite set of events. 

(ii) TT : E ^ P associates a unique process with each event. 

(iii) T : E ^ {send, receive, internal} specifies the nature of each event. 

(iv) tf is a bijection from the set of send events (e | T(e) = send} to the set of 
receive events {e | r(e) = receive}. Each pair in the set {{e,(p{e)) \ r(e) = 
send}, constitutes a message. Messages are often labelled using finite set A 
of message types, with typical elements m, m' etc. 

(v) E is partially ordered by <, such that for each p G P, the set Ep = 
{e I 7r(e) = p} is linearly ordered by <. Let us denote this linear 
order <p. Further, < is the reflexive, transitive closure of Upgp —p 
U|(e,V3(e)) I r(e) = send}. 

(vi) Messages between each pair of processes are delivered in a FIFO fashion.^ 
More formally, let e, e' be a pair of events such that 7r(e) = 7r(e'), r(e) = 
r(e') = send and 7r(<p(e)) = Tr{ip{e')). Then, e < e' iff (p{e) < <p{e'). 

Let M he a message sequence chart. The type of M is the set tt{M) = (p g 

P \3e € M. 7r(e) = p} of processes that are active in M. 

^ We will see how to relax this restriction later. 
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For X CV, Mx denotes the set of MSCs of type X. The set of all possible 
MSCs over the set of processes P is given hy M = U05^xc-p ^x- 



2.2 Regular MSC Languages 

A communicating system is normally specified using a set of scenarios or, equiv- 
alently, a set of MSCs. An MSC language is a (finite or infinite) collection of 
MSCs. We can also represent MSC languages in terms of word languages. 

Each send or receive event e in an MSC is characterized by the values 7r(e), 
r(e) and the message type, if any. Let p\q{m) denote the action associated with 
sending message m from p to q and let qlp{m) denote the corresponding receive 
action. We then have an alphabet of communication actions P = {plq{m) \ p,q € 
P,m G A} LI {p 7 q{m) \ p,q G P,m G A}. For an MSC M, viewed as T- labelled 
poset, the set lin{M) of valid linearizations of M describes a word language over 
r. An MSC language L C M can thus be represented by the word language 
[J{lin{M) I M G L}. Notice that internal events do not play any role in defining 
MSC languages. 

We say that an MSC language L is regular if the corresponding word language 
over r is regular. 

Let M = {E,<,T,(p,n) be an MSC. A configuration is a set of events 
c C E such that c is closed with respect to <. The channel capacity of c, 
x(c), specifies the number of unmatched send events in c — that is, x(c) = 
|{e € c I 7r(e) = send, p{e) ^ c}|. We define the channel capacity of the MSC M 
to be maximum value of x(c) over all configurations c of M . The following is 
easy to show. 

Proposition 1. Let L he a regular MSC language. Then, there is a uniform 
upper bound B gNq such that for every MSC M G L, x{M) < B. 

The converse statement is not true, in general. We shall see a counterexample. 



2.3 High-Level Message Sequence Charts 

The standard mechanism to generate an MSC language is a High-level Message 
Sequence Chart (HMSC) . A simple type of HMSC is a Message Sequence Graph 
(MSG) . An MSG is a finite, directed graph with designated initial and terminal 
vertices. Each vertex in an MSG is labelled by an MSC. The collection of MSCs 
represented by an MSG consists of all those MSCs obtained by tracing a path 
in the MSG from an initial vertex to a terminal vertex and concatenating the 
MSCs that are encountered along the path. 

An HMSC is just an MSG in which a vertex can, in turn, be labelled by 
another HMSC, with the restriction that the overall nesting depth be finite. 
Thus, an HMSC can always be “flattened out” into an MSG. Henceforth, when 
we use the term HMSC we always assume the flat structure of an MSG. 

The edges in an HMSC represent the natural operation of MSC concatenation 
which can be defined as follows. Let Mi = {Ei, <j, r^, <pi, tt^), i G {1, 2}, be a pair 
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for MSCs such that ifi fl i?2 = 0- The (asynchronous) concatenation of M\ and 
M2 is the MSC Mi o M2 = {E, <,T,(p, tt) where E = Ei U E2, 7r(e) = 7Ti(e) and 
r(e) = Ti{e) for e G E^, i G {1,2}, (p = tpi U ip2 and < is the reflexive, transitive 
closure of <1 U <2 U{(e, e') | e G Ei,e' G i?2,7ri(e) = 7T2(e')}. 

Formally, an HMSC is a structure H = {S, — >■, Sin, E,<!>), where: 

(i) S' is a finite and nonempty set of states. 

(ii) —^CSxS. 

(iii) Sin C S is a set of initial states. 

(iv) F C S is a set of final states. 

(v) ^ : S — >■ is a (state-)labelling function. 

A path a = Sq — >Sn through an HMSC H generates the MSC 

M{a) = <P{so) o o • • • o A path a = sq — >- si — >■ >Sn is a run if 

So G Sin and s„ G F. The language of MSCs accepted by H is T('H) = {M{a) G 
M I CT is a run through "Hj. 




Fig. 2. An HMSC 



Figure 2 is an example of an HMSC. The initial state is marked with an 
incoming arrow and the final state is marked with a double outline. It is easy 
to see that the language £ defined by this HMSC is not regular. Though all the 
channels are uniformly bounded, there is a “context-free” correlation between 
the number of iterations of two disjoint sets of communications. 

A sufficient criterion for an HMSC to generate a regular MSC language is for 
it to be locally synchronized [13].^ 

For an MSC M = (F, <, r, (/?, tt), the communication graph of M is the di- 
rected graph CGm = (T*, where V is the set of processes of the system and 
{p, (7) G !->■ if p sends a message to q in M. More formally, (p, g) G i-G- if there 
exists an e G F with 7r(e) = p, r(e) = send and 7r(ip(e)) = q. 

The MSC M is said to be connected if CGm consists of one nontrivial strongly 
connected component and isolated vertices. An MSC language L G M \s con- 
nected in case each MSC M G A is connected. 

The HMSC % is locally synchronized if for every loop ct = q —>■ —>■••• —>■ 

qn — >■ q, the MSC M{a) is connected. Every locally synchronized HMSC defines 
a regular MSC language [2] (though the converse does not hold). The HMSC in 
Fig. 2 is not locally synchronized. 

^ This notion is called “bounded” in [2]. 
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2.4 Finitely Generated MSC Languages 

Every MSC generated by an HMSC is, by definition, a concatenation of the 
MSCs that label the vertices of the HMSC. We say an MSC M is atomic if 
M cannot be written as the concatenation Mi o M 2 of two nonempty MSCs. 
An MSC language L is said to be finitely generated if there is a finite set of 
atomic MSCs Atoms = {Mi, M 2 , . . . , M^} such that every MSC M G L can be 
decomposed as Mt^ o o • • • o Mi^, where each G Atoms. 

Clearly, every HMSC language is finitely generated. However, there exist reg- 
ular MSC languages that are not finitely generated [6,9]. Every finitely generated 
regular MSC language can be represented as a locally synchronized HMSC [8]. 

3 Netcharts 

Netcharts are distributed versions of HMSCs in much the same way that Petri 
nets are distributed versions of finite-state automata. (We refer the reader to [5] 
for basic concepts and results on Petri nets.) 

3.1 Nets 

— A net is a triple {S, T, F) where S' is a set of places (or local states), T is a set 
of transitions and F C (S x T) U (T x S) is the flow relation. For an element 
cc G SUT, we use *x and x*, as usual, to denote the immediate predecessors 
and successors, respectively, of x with respect to the flow relation F. 

— An S-net is a net (S,T,F) in which I'tj = 1 = |t*| for every t GT. 

At the top level, a netchart has the structure of a safe Petri net that can be de- 
composed in a natural way into sequential components. Transitions synchronize 
distinct components and are annotated by MSCs involving those components. 

3.2 The Netchart Model 

A netchart is a structure {{S,T, F), Mi„, loc,X) where: 

(i) (S', T, F) is a net. 

(ii) Min C S is the initial marking. 

(iii) The function loc maps each state s G S to a process in V. For s G S, we 
refer to loc{s) as the location of s. For p G V, let Sp = {s | loc{s) = p} 

(iv) For t G T, let loc{t) = [loc{s) | s G U t*}. The labelling function A 
associates an MSC M with each transition t such that loc{t) = tt{M). 

(v) We impose the following restriction on the structure of a netchart: 

— For each t G T, for each p G loc{t), \*t fl Spj = |t* fl Spj = 1. In other 
words, each transition t has exactly one input place and one output 
place for each process that participates in t. 

— For each p GV, |Mi„ fl Spj = 1. In other words, Mi„ places exactly one 
token in each component Sp. 
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— For p G P, let Tp = {i I p G loc{t)} denote the set of transitions that 
p participates in. For each p € V, the net {Sp,Tp, Fp), where Fp = 
F n ((5'p X Tp) U {Tp X Sp)) is an S-net. 

Figure 3 shows an example of a netchart. A more elaborate example modelling 
the alternating bit protocol is shown in Fig. 6. 



3.3 Semantics 

The operational semantics of a netchart is obtained by converting each MSC 
that labels a transition into a Petri net and “plugging in” these nets into the 
top-level safe net of the netchart. 

The crucial feature of our semantics is that each MSC that is used to label 
a high-level transition has a private set of channels. Thus, if a message m is 
sent from p to g in the MSC labelling transition t, it can only be read when q 
participates in the same high level transition t. 

We convert an MSC M into a net (S'm, 7m, Fm) in an obvious way. The set 
of transitions Tm corresponds to the events of the MSC. Since each process is 
sequential, we insert a place between every adjacent pair of events along each 
process line. In addition, for each pair of processes (p, q), we introduce a buffer 
place For each send event of a message from p to q, the corresponding 

transition in Tm feeds into the place b(p^qy For each receive event of a message 
from p to q, the corresponding transition in Tm has as an input place. 

In the netchart, for a high-level transition t labelled by the MSC M , for each 
process p G loc{t), we connect the transition corresponding to the <p-minimum 
p-event in the MSC M to the (unique) place in Sp that feeds into t. Similarly, we 
connect the transition corresponding to the <p-maximum p-event in the MSC 
M to the (unique) output place in Sp of t. Observe that we do not need to model 
the channels between processes as queues. It suffices to maintain a count of the 
messages in transit between each pair of processes. The structure of the MSC 
and the labelling of the events ensures that messages are consumed in the order 
in which they are generated. 

The behaviour of the netchart is now given by the normal token game on the 
“low level” net that we have generated by plugging in a net for each MSC in 
the netchart. In the low level net, the control places that are inherited from the 
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Fig. 4. The low level net for Fig. 3 and a typical MSC that it generates 



original high level net are safe. However, the buffer places can have an arbitrary 
number of tokens. Thus, the low level net is not, in general, safe. 

All processes need not traverse the high level transitions in the same order. 
Each process proceeds asynchronously and only gets blocked if, within an MSC, 
it requires a token from a buffer place and the buffer place is empty. 

As we fire the “low level” transitions corresponding to the events of the MSCs 
labelling the high level transitions, we build up in the obvious way a partial order 
that can be regarded as an MSC. A complete MSC is generated when all send 
events have been matched up with corresponding receive events. This is captured 
by declaring a marking to be an accepting one if all the buffer places are empty 
at the marking. Thus, the language of the netchart is defined to be the set of 
MSCs generated by all firing sequences leading to accepting markings. (Note 
that there are only a finite number of such markings.) We can further control 
the language of a netchart by defining a set T of final control markings and insist 
that a marking is accepting only if all buffer places are empty and the control 
marking belongs to T . Figure 4 describes the low-level net associated with the 
netchart in Fig. 3 and also exhibits a typical MSC in the language defined by 
this netchart. 

4 Prom Netcharts to Message-Passing Automata 

The low level net associated with a netchart makes it an executable specification. 
We now show that a netchart can also easily be transformed into the executable 
model often used in connection with HMSCs [1,12]. 

4.1 Message Passing Automata 

A natural implementation model for MSC languages is a message-passing au- 
tomaton. Recall that the set of processes V determines the communication al- 
phabet r. For p GV, let Fp = {p\q{m),plq' {m') \ q,q' & P,m,m' G A} denote 
the actions that process p participates in. 

A message-passing automaton over T is a structure A = 
{{Ap}p(iv,Aux,Sin.,T) where: 

— Aux is a finite alphabet of (auxiliary) messages. 
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— Each component Ap is of the form (Sp, — >p) where 

• S'p is a finite set of p-local states. 

• — >p Q Sp X Fp X Aux X Sp is the p-local transition relation. 

“ Sin G ripeP global initial state. 

— ^ F Hpgp Sp is the set of global final states. 

The local transition relation — >p specifies how the process p sends and re- 
ceives messages. The transition (s,p!g(m), p, s') specifies that in state s, p can 
send the message m augmented with auxiliary information p to g by executing 
the communication action p\q(m) and go to the state s'. Similarly, the transition 
{s,p?q{m), fj,, s') signifies that at the state s, p can receive the message (m,p) 
from q by executing the action plq{m) and go to the state s'. 

The behaviour of a message-passing automaton is described in terms of con- 
figurations. Channels are modelled as queues. A configuration specifies the local 
state of each process together with the contents of each queue. A transition of 
the form {s,p\q{m), p, s') appends the message {rn,p) to the queue {p,q). Simi- 
larly, a transition of the form (s,p?q(rn), p, s') removes the message (m, p) from 
the head of the queue (q,p) — this transition is blocked if such a message is not 
available. A final configuration is one in which the local states of the processes 
constitute a final state of the message-passing automaton and all queues are 
empty. We can define a run of such an automaton, as usual. Runs that lead to fi- 
nal configurations are called accepting. The language accepted by the automaton 
is the set of words that admit accepting runs. The structure of the automaton 
ensures that this word language corresponds to the set of linearizations of an 
MSC language, so we can associate an MSC language in a natural way with a 
message-passing automaton. For more details, the reader is referred to [9,12]. 



4.2 Prom Netcharts to Automata 

Each non-buffer place in the low-level net corresponding to a netchart can be 
uniquely assigned a location in V. The places that belong to process p define, in 
a natural way, a local sequential component of a message-passing automaton. 

The resulting message-passing automaton differs in one important aspect 
from the original netchart — each MSC that labels a transition in a netchart 
writes into a private set of channels, while there is only one common set of 
channels in a message-passing automaton. So long as the MSCs generated by the 
netchart obey the FIFO restriction on each channel, this collapsing of channels 
does not affect the MSC language and the language accepted by the message- 
passing automaton is the same as the one defined by the netchart. 

However, netcharts can define MSCs that violate the FIFO restriction on 
channels, as seen in Fig. 5. We cannot directly translate such a netchart into a 
message-passing automaton. The solution is to weaken the definition of an MSC 
to permit multiple channels between processes. Different channels may carry 
messages of the same type. Each channel is FIFO, but messages on different 
channels can overtake each other (even between the same pair of processes). 
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Fig. 6 . A netchart that generates a non FIFO MSC 



We can then augment message-passing automata so that each send and re- 
ceive specifies the channel name in addition to the message type. With this 
extension, netcharts can always be converted into message-passing automata. 
However, for simplicity, we shall assume that we only deal with netcharts that 
generate MSCs that respect the FIFO restriction and work with the simpler 
definition of message-passing automata that we presented initially. 

5 Regular Netchart Languages 

We begin with a simple observation about Petri nets. Let N = {{S,T, F), M^) 
be a Petri net and L{N) denote the set of firing sequences of N. Recall that a 
Petri net is bounded if there exists a uniform upper bound B such that at any 
reachable marking, every place contains at most B tokens. 

Proposition 2. If N is a hounded Petri net then, L{N) is regular. 

This easily yields a sufficient criterion for a netchart language to be regular. 

Lemma 3. If the low level net associated with a netchart is hounded, the MSC 
language of the netchart is regular. 

Since boundedness is a decidable property for nets, this condition can be 
effectively checked. Since the converse of the preceding lemma does not hold, 
deciding the regularity of a netchart language is not straightforward. For the 
netchart language to be non-regular, we have to find an unbounded family of 
markings, each of which can be reduced to a legal final marking where all buffer 
places are empty. 

However, for the special case where each component of a netchart is a cyclic 
process, regularity is decidable. 

Theorem 4. Consider a netchart in which each component is a cyclic process. 
It is decidahle if the language of such a netchart is regular. 

Proof. We construct the communication graph for the entire netchart. This graph 
has the set of processes as vertices and an edge from p to g if there is a transition 
in the netchart labelled by an MSC with a message from p to q. 
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Let C, C be maximal strongly connected components (sec’s) of this commu- 
nication graph. We draw an edge from C to C if there exists p € C and q G C' 
such that there is an edge in the communication graph from p to q. This induced 
graph of sec’s is a dag. This dag may itself break up into a number of connected 
components. We can analyze each of these components separately, so, without 
loss of generality, assume that the entire dag is connected. 

The buffer places that connect processes within each see are automatically 
bounded (for the same reason that a locally synchronized HMSC generates a 
regular MSC language) . Thus, the only buffer places that can be unbounded are 
those that connect processes in different sec’s. 

Suppose p G C, q G C and there is an edge from p to g in the communication 
graph. Then, by the structure of a netchart, each time p enters a high-level 
transition where it sends a message to q, there must be a matching instance where 
q enters so that the buffer places are cleared out. This has two implications. 

(i) If p is not live — that is, it can execute only a finite number of actions — then 
q is not live. Indeed, all of C and C' are not live. 

(ii) If q is not live, then any messages generated by p after q quits will never 
be consumed, so the resulting behaviour will not lead to an MSC in the 
language. Thus, effectively the buffer place between p and q is bounded. 

Thus, if a process p is not live, all processes in the see C containing p as well 
as all sec’s that are descendants of C in the dag are not live. Moreover, after a 
bounded initial period, any message produced by an ancestor see will never be 
consumed. So, as far as the MSC language is concerned, the ancestors of C also 
have only a bounded life. In other words, if even a single process is not live, the 
entire dag has a bounded behaviour and the resulting MSC language is bounded. 
Conversely, the language is unbounded iff all the sec’s in the dag are live. 

Thus the problem reduces to checking whether all the sec’s in the dag are 
live. Observe that the minimal sec’s in the dag have no input buffer places, so 
their liveness can be analyzed in isolation. This is not difficult to check given 
the simple cyclic structure of the components. If all the immediate predecessors 
of an see are live, then the liveness of the see again depends only on its internal 
structure, so we perform the same check as for the minimal sec’s. Thus, we 
can systematically check the liveness of all the sec’s in the dag by sorting them 
topologically and analyzing them in this sorted sequence. □ 



6 HMSCs vs. Netcharts 

Every HMSC language is finitely generated (and all finitely generated regular 
MSC languages are HMSC representable). It turns out that netcharts can also 
generate regular MSC languages that are not finitely generated. An example of 
this is the alternating bit protocol in which two processes communicate over a 
lossy channel. The sender alternately tags the data it sends with bits 0 and 1. 
The receiver acknowledges the bit corresponding to each data item it receives. 
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Fig. 6. A netchart for the alternating bit protocol, with a typical MSC 



The sender flips its bit each time it gets the acknowledgement it is waiting for 
(and ignores any incorrect acknowledgement that it may receive). 

Figure 6 shows a netchart corresponding to the alternating bit protocol. In 
the flgures, messages c?o and d\ represent data sent with bit 0 and 1, respectively, 
and messages Gq and ai represent the corresponding acknowledgements. 

The first HMSC we encountered, Fig. 2, generates a non-regular language 
in which all channels are bounded. It is not difficult to show that any netchart 
implementation of this HMSC (i.e., its associated low level Petri net) would 
have bounded buffers. For netcharts, bounded buffers imply regularity. Hence, 
this HMSC is not representable via netcharts. However, from the result we will 
prove in the next section it follows that every HMSC that defines a regular MSC 
language has an equivalent netchart. 



7 Prom Regular MSC Languages to Netcharts 

We now show that every regular MSC language can be represented as a netchart. 
We begin by recalling the characterization of regular MSC languages in terms of 
message-passing automata. A H-bounded message-passing automaton is one in 
which in every reachable configuration, there are at most B messages in transit 
in any queue. We then have the following result from [12]. 

Theorem 5. An MSC language L is regular iff there is a B-hounded message- 
passing automaton that accepts L, for some bound H G Nq. 

We now show that netcharts with final control markings can generate all 
regular MSC languages. 

Theorem 6. Every regular MSC language can he represented as a netchart. 

Proof Sketch: We can simulate a H-bounded message-passing automaton using 
a netchart. 
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In a -B-bounded message-passing automaton, each queue is uniformly 
bounded by B. We can naively regard each channel as a cyclic buffer of size 
B with slots labelled 0 to B—1. Each process begins by reading from or writing 
into slot 0 along each channel that it is connected to. After a process reads from 
(or writes to) slot i of a channel c, when it next access the same channel it will 
read from (or write to) slot z -I- 1 mod B, which we denote z © 1. 

In this framework, the complete configuration of a process is given by its local 
state s and the slot fcj that it will next read from or write to for each channel Ci 
that it is connected to. Initially, a process is in the configuration (sf„, 0, . . . , 0). 

Each local transition s ' - — s' (or s g') generates a family of moves 



of the form (s, fci, fe, ■ . . , fcz, 



{s,ki,k 2 ,...,h®l,...,kn) (or 



{s,ki,k2, ■ ■ ■ ,ki, . . . ,kn) ’ — {s,ki,k2, ■ ■ ■ ,ki(Bl, ■ ■ ■ ,kn), for each choice of 
ki,k2, ■ ■ ■ ,kn, corresponding to the n channels that the process reads or writes. 

We construct a netchart in which, for each process p, there is separate 
place corresponding to each configuration (s, fci, ^ 2 , ■ • ■ , , kn) of p in the B- 

bounded message-passing automaton. Consider a message (m, p) that is trans- 
mitted on channel c, during a run of the message-passing automaton. When 
this message is sent, the sending process is some configuration of the form 
(s, fci, k 2 , ■ ■ ■ ,ki, . . . , kn) and when this message is received, the receiving pro- 
cess is in some configuration of the form (t, ^^,^ 2 , ■ ■ ■ ,ki, . . . ^ f„) (notice that the 
value of ki in the two configurations is necessarily the same). For each such pair 
of sending and receiving configurations, we create a separate transition in the 
netchart representing Cj, labelled with an MSC consisting of a single message 
{m,p) (see Fig. 7). We use internal transitions to let the sending process guess 
the context in which the message will be received and fire the corresponding 
transition in the netchart. Symmetrically, the receiving process guesses the con- 
text in which the transition was sent and enters the corresponding transition in 
the netchart. 



We can then associate a set of global final control states with this netchart 
corresponding to the accepting states of the original message-passing automaton. 
It is not difficult to see that this netchart accepts the same MSC language as 
the original message-passing automaton. 

The crucial observation is that any inconsistent choice among nondeterminis- 
tic transitions in the netchart must lead to deadlock. Suppose that for channel Cj, 
the sending and receiving processes make incorrect guesses about each other’s 
contexts for message (m, p) sent in slot ki along c^. This would result in the 
receiving process getting stuck in the wrong netchart transition. The only way 
for it to make progress is for the sending process to eventually cycle through 
all the other slots along channel Cj, return to slot kt and send a fresh copy of 
the message (m, p) within the netchart transition where the receiving process is 
stuck. This can be mapped back into a run of the message-passing automaton 
in which the channel Ci is not B-bounded, which is a contradiction. □ 
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Fig. 7. The translation from _B-bounded message-passing automata to netcharts 



8 Discussion 

We have shown that by distributing the control in an HMSC in appropriate way, 
we can derive a model that is much more easily implementable than HMSCs 
while retaining the appeal of a visual formalism. In terms of the regular MSC 
languages they can represent, netcharts are more expressive than HMSCs. In 
general, the expressive power of the two formalisms is incomparable. 

As mentioned in the introduction, an important aspect of the netchart model 
is that the compound MSCs that are defined by a netchart are built up from 
“complete” MSCs. This is important from the point of view of using such a 
formalism to capture system requirements at a reasonably intuitive level. An 
alternative approach, suggested in [6], is to label HMSC nodes with compositional 
MSCs that may have unmatched sends and receives. A single send or receive 
action is a trivial example of a compositional MSC. Thus, a specification in 
terms of compositional MSCs very quickly becomes indistinguishable from a 
concrete implementation in terms of distributed automata. 

One natural direction in which to extend this work is to use netcharts for 
capturing requirements in realistic settings. 

At a technical level, the following interesting questions remain open: 

— What is the exact relationship between the class of Netchart languages and 
the class of HMSC representable languages? 

— Is the problem of checking whether the language of a netchart is regular 
decidable? 
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Abstract. Abstraction is a key issue in automatic verification, and it 
is often performed by a projection on a subsystem that is relevant for 
the property to check. This paper dehnes projections for the scenario 
language of High-level Message Sequence Charts (HMSC). We first show 
that the projection of an HMSC is not representable as an HMSC, in 
general. However, we show how that projections of HMSCs can be rep- 
resented by a larger class of scenario languages, namely by (realizable) 
compositional HMSCs (cHMSCs). Moreover, we propose an algorithm 
that checks whether the projection of an HMSC can be represented by 
an HMSC, constructing the HMSC representation, when possible. This 
can be used in mo del- checking the projection of an HMSC specihcation. 



1 Introduction 

Scenario languages such as Harel’s Live Sequence Charts [7] , UML sequence dia- 
grams, interworkings, etc. have seen a growing interest this last decade. Among 
them, the ITU standardized notation of Message Sequence Charts (MSCs, [10]) 
has received a lot of attention, both in the area of formal methods and in auto- 
matic verification [1,2,8,13,11,15]. MSCs can be considered as an abstract repre- 
sentation of communications between asynchronous processes. They are usually 
used as requirements, documentations, abstract test cases, and so on. A common 
approach for modeling the behavior of distributed systems is to describe them 
by means of parallel composition of communicating instances. MSCs and high- 
level MSCs (HMSCs for short) propose a pictorial way of modeling behaviors, 
combining parallel composition (processes) with sequential composition (transi- 
tion system). The main advantage of such a representation is to have a local, 
explicit description of the communication and the causalities appearing in the 
system. Even if HMSCs seem to be a very simple formalism, the explicit use of 
parallel composition leads to model-checking being in general undecidable ([2, 
13]). By model-checking we mean validating HMSC specifications versus sim- 
ple properties, that are either given in some sequential logics/automata or as 
HMSCs. Some weaker decidable comparison criteria have been proposed, such 
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as matching with gaps [12,14]. Notice also that model-checking partial order 
properties (i.e., specified using partial order logics) is decidable, albeit of high 
complexity, [11,15]. 

Abstraction often appears as a central issue for automatic verification of large 
systems [3,5,16], since it can decrease the complexity of the verification process. 
In general, the issue is how to obtain an abstraction that allows to transfer 
the result back to the initial system. Scenarios are supposed to remain rather 
concise, but in some cases they may have been designed with too many details, 
which are not relevant for the property to check. Moreover, the details may 
hide important information concerning the causalities. Abstraction for HMSCs 
can be performed by collapsing nodes of the graph, as for Kripke structures. 
The problem is that such an abstraction can produce more behaviors than the 
initial model. Thus the result of model-checking is only an approximation for the 
real model. Abstraction can also be defined by projecting away some events or 
instances, without changing the graph. This abstraction of an HMSC is still an 
HMSC, but has as a negative side effect the loss of certain causalities between 
events. For example, if one wants to know whether an event a on process p 
appears before b on process q, then she might want to verify it only on the 
subsystem obtained by projecting away all events not on {p,q}. However, in 
this subsystem, the events a, b might become unordered, which means that the 
abstraction will not preserve the property. 

The first motivation of this paper is to give an exact abstraction of HMSCs, 
i.e. with no approximation. Our abstraction hides (projects away) specific events 
while preserving the causalities. This can have several benefits. First, it can pro- 
vide a better comprehension of the interactions between particular instances 
(see Figure 3 for a concrete example). Second, when comparing two MSCs, a 
designer might be interested in comparing the behaviors involving common fea- 
tures of both scenarios. Hiding information while preserving causal dependencies 
becomes then a central point for this kind of comparison. Our abstraction will 
preserve the causal order, hence the property {->b)Ua of the example above. More 
generally, if the projection is defined on events on a given set of processes P, then 
any formula defined hy 4> = a \ ->(j) \ (jiUpfj) is satisfied by the projection if and 
only if it is satisfied by the concrete system. Here, the atomic propositions a con- 
cern only processes in P. The operator Up is a, restriction of U meaning that the 
’until’ is taken among the processes in P. That is, (pUptp = {(j>\/ ~'P)U'ijj. Finally, 
a motivation for hiding actions in an HMSC is to be able to verify properties on 
a model that is hopefully smaller. 

The main problem raised by projections of HMSCs that preserve the causal- 
ities is the representation of the projected HMSC. First, the projection of an 
MSC is not always an MSC, as hiding may produce events that represent at the 
same time sends and receives. A more severe problem is that, projected HMSCs 
(even bounded ones, [2,13]) cannot be represented by means of a finite HMSC, 
in general. The first main result of the paper is that we can always represent 
the projection of an HMSC by a realizable compositional HMSC (cHMSCs, [6]). 
Moreover, we give an algorithm that tests whether the projection of an HMSC 
can be represented by an HMSC. The second main result is an effective con- 




High-Level Message Sequence Charts and Projections 313 



struction of an HMSC representing the projection of HMSC, whenever this is 
possible. 

This paper is organized as follows. Section 2 introduces basic notions related 
to MSCs, and section 3 defines the projections. Section 4 shows on a concrete 
protocol (RMTP2) the reasons that can prevent an HMSC projection to be rep- 
resented as an HMSC. Section 5 establishes the effective equivalence between 
projections of HMSCs and realizable cHMSCs. The main result of the paper is 
given in section 6. It states that we can decide in polynomial space whether a 
realizable cHMSCs (in particular, the projection of an HMSC) can be repre- 
sented by an HMSC. In the affirmative case, we can build effectively such an 
HMSC. Finally, in section 7 we show that model-checking projections of HMSCs 
is decidable under some reasonable assumptions. Due to space limitations most 
proofs are omitted. 

2 Preliminaries 

Message Sequence Charts (MSC for short) is a scenario language standardized 
by the ITU ([10]). They represent simple diagrams depicting the activity and 
communications in a distributed system. The entities participating in the inter- 
actions are called instances (or processes) and are represented by vertical lines. 
Message exchanges are depicted by arrows from the sender to the receiver. In 
addition to messages, atomic actions and timer operations (set, reset and time- 
out) can also be represented. Figure 1-a gives an example of an MSC modeling 
interactions between a Sender, a Medium and a Receiver. 

Formally, an MSC M is a partially ordered set (poset) described by a tuple 
M = {E, <,A,V, t, P, m), where if is a finite set of events, <C if x if is a partial 
order on E and H U H’’ U is a set of actions, which can be sending, 

receiving or atomic actions (internal operations or events related to timers). V 
is a finite set of p processes (instances), t : E — >■ A associates an action with 
each event and P : E — ^ V associates a process with each event. The message 
relation m Q ExE pairs up sending and receiving events such that each send has 
a unique associated receive, and vice-versa. A send action is denoted by plq{a), 
meaning that p sends to q the message a. A receive action is denoted by qlp{a), 
meaning that q receives message a from p. The message relation m is consistent 
with the mapping t, i.e., if (e, /) € m, then t(e) = plq{a) and t{f) = qlp{a) for 
some p, q, a. 

The visual order of M is given by a total order on each process p € P, 
i.e. on each set of events E fl P~^{p) (process ordering) and by the message 
ordering e < / for every message (e, /) G m. The graphical representation of 
an MSC diagram actually corresponds to the visual order, consisting of vertical 
lines (process ordering) and message arrows (message ordering). The relation < 
is the partial order generated by the visual order. We write e < / when e < / 
and there is no event g with e < g < /. It is a common assumption that inter- 
process communication is FIFO, i.e., there is no overtaking of messages on any 
channel. Figure 1-b depicts the Hasse diagram of the partial order of the MSC 
in Figure 1-a. 
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MSCs are not expressive enough for specifying sets of scenarios and need 
operators such as choice or iteration to model interesting behaviors. This leads 
to High-level Message Sequence Charts (HMSCs) [10], that are just transition 
systems with nodes labeled by MSCs. Their semantics is defined by the sequen- 
tial composition of two MSCs Mi, M2. Let Mj = {Ei, <i, Ai,Vi,ti, Pi, nii). Their 
sequential composition is the MSC Mi o M2 = {Ei l±l i?2, <, 4li U A2, Pi U P2, ti U 
t2, Pi U P2, mi U m2), where < is the transitive closure of <1 U <2 U{(ei, 62) G 
El X E 2 I Pi(ei) = ^2(62)} defined on the disjoint union of events Ei\±)E 2 - Intu- 
itively, the sequential composition glues two MSCs along their common instance 
axis. 

An HMSC is a tuple H = (V, — >■, F, A) where {V, — >■, v'^, F) is a transition 

system with set of nodes V, transition relation — >■, initial node and set of final 
nodes F. Each node v is labeled by an MSC, denoted A(w). An initial path of 
E is defined as a sequence of transitions p = (vi V 2 ■ ■ ■ ^ Vk) with vi = v^. 

If moreover Vk G F, then p is an accepting path. The MSC A(p) associated 
with a path p is the sequential composition of the MSCs labeling the nodes, 
A(p) = A(ui) o • • • o A(wfc). An HMSC H defines a set of (finite) MSCs C{P[) = 
{A(p) I p is an accepting path of El}. Figure 2-a depicts an HMSC involving 
processes A, B, C. 

Compositional MSCs (cMSC for short) is a notation that extends MSCs [6]. 
The difference between a cMSC and an MSC is that the message function m is a 
partial function, i.e., there can be sends or receives for which no matching event 
is defined. Such an event is called here isolated. The sequential composition of 
cMSCs is defined as above, with the additional requirement that the message 
function of M eventually matches isolated sends of Mi with isolated receives of 
M2 in such a way that M respects the FIFO condition. Hence, if two isolated 
sends from process 1 to 2 are concatenated with two isolated receives from pro- 
cess 1 to 2, then the resulting MSC consists of two successive messages from 1 
to 2. See [6] for details. 

A compositional HMSC H is an HMSC with nodes labeled by cMSCs. It 
defines a set of cMSCs F{H) = {A(p) | p is an accepting path of FI}. Moreover, 
a cHMSC is called realizable in [6], if there is no accepting path with isolated 
events. 
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We end this section by some properties needed later in our algorithms. An 
MSC M is called atomic, if it cannot be written as M = Mi 0M2, where Mi, M2 
are non-empty MSCs. [ 9 ] describes an algorithm for testing whether an MSC 
M is atomic. This algorithm tests in linear time whether the following graph is 
strongly connected: 

Definition 1 . Let M = {E,<, A,V,t, P,m) be an MSC over set of events E. 
The connection graph CG{M) = {E,^cg) of M is defined by v\ -^cG '02 if 
either P{vi) = P{v2) and v\ < V2, or one of (vi,V2), {v2, vi) is a message in M 
(edges are added from receives to associated sends). 

Proposition 1. [9] An MSC M is atomic if and only if the connection graph 
CG{M) is strongly connected. 

3 Projections of MSCs 

Consider an MSC M = {E, <,A,V, t, P, to) and a subset of events E' C E. The 
projection of M on E' is noted and is obtained by erasing the events in 

E\E' , and inheriting the causal dependencies from M. The set E' can represent 
for example all the events located on a subset of processes (instances) . Formally, 
is the restriction of the poset M to E' , defined as tte>{M) = {E' ,<' 
,V ,P' ,m'), where <' ,P' are the restrictions of <,P to E' . Events from the set 
E' will be called non-erased events. In the same way as for MSCs we depict 
the causal dependency between different processes by a causality (aka message) 
relation to'. We let (e, /) G to' for two non-erased events e, / G E' , if e <' / and 
P{e) yf P{f). That is, e and / are events located on different processes, e < / 
in M and there is no intermediate non-erased event g £ E' with e < g < f . The 
projection of an MSC will be called a pMSC for short. 

Note that a pMSC is not necessarily an MSC, since an event in the projection 
may gather several actions of the initial MSC (these events will be called multi- 
type events). The example of Figure 1 -c shows the projection of the MSC in 
Figure 1 -a on E' = {e\, 62, 63, 65, 63}. Since ei < 65, we have to create a message 
between ci and 65 to keep ordering. Similarly, as 65 < eg, we have to create a 
message between eg and eg. In the projection, event eg has several types, a receive 
from the Sender process and two sends to Receiver and Sender. However, multi- 
type events are not a real problem for modeling, as pMSCs are still partially 
ordered event sets. 

We can define atomic pMSCs similarly to MSCs: A pMSC M is atomic if 
the connection graph CG{M) is strongly connected. For example, the pMSC 
M' = 7r{ej_e2,e3,e5,e8}(-^) Figure 1 -c is atomic. Thus, in addition to the edges 
represented in the Hasse diagram of Figure 1 -c the connection graph CG(M') 
contains the back edges (eg, ei), (eg, eg) and (eg, eg), and is strongly connected. 
Note that projections do not preserve atomicity. In general, atoms of tte{M) can 
be larger than those of M. 

For an HMSC H = (C, — >■, F, A), the projection tte'{H) is defined as the 

projection of each MSC obtained from an accepting path of P[ on all occurrences 
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of events of E' . Let f be a node of H, and let us denote by Ey the events 
associated to the MSC X{v). Let E" = HE') be the set of occurrences of 

events of E' . Then, the set of pMSCs defined by the pHMSC H' = TrE'{H) is the 
set C{H') = {7T£;//(A(z;i)o- • ■o\{vk)) | wi —>■•••—>■ ffc is an accepting path of El}. 
We will call the projection of an HMSC a pHMSC. 

4 Comparing pHMSCs with HMSCs 

The description of a pHMSC by an HMSC, together with a projection func- 
tion, has several drawbacks. First, since causal dependencies are only implicitly 
given by the HMSC, a projected scenario is difficult to understand. Second, an 
implicit representation is not convenient for algorithmic manipulations. Third, 
by projecting an HMSC we usually want to obtain a smaller object, with a 
more compact representation. An immediate question appears when projecting 
an HMSC H to some pHMSC H' = namely whether there exists some 

equivalent HMSC G, i.e., such that £{G) = C{H')1 In particular, if H' is equiv- 
alent to some HMSC, then there exists a finite set X of generators for C{H'). 
That is, there exists a finite set X of MSCs such that every M G £{tte{H)) is 
a product of elements from X. We show below two situations that can prevent 
the existence of such a set X. 

The first case is called an unbounded crossing. Intuitively, a pHMSC contains 
an unbounded crossing if there is a communication pattern that can be iterated 
an arbitrary number of times between two events situated on different processes 
that are causally related. For example, the HMSC of Figure 2-a generates an 
unbounded crossing for a projection on the instances A and B. Figure 2-b shows 
the partial orders generated by the HMSC of Figure 2-a, and Figure 2-c shows 
the partial orders after the projection on A and B. The MSCs in the projection 
are all atomic, hence there is no finite set generating them. 

A second situation ruling out a finite representation is called a crown. Let us 
illustrate the presence of a crown on an example. Consider the HMSC of Fig- 
ure 3. This HMSC describes scenarios for data transmission and acknowledgment 
for a multi-cast protocol called RMTP2. The RMTP2 network is organized as 
a tree, propagating data packets from a data source in the network, and aggre- 
gating acknowledgments in order to retransmit missed packets. Some nodes are 
designated to store a copy of the data sent, and retransmit each missed packet 
to the child subnetwork, if necessary. When a child receives a data packet, it 
may send an acknowledgment message Hack to its parent. A receiver may also 
decide to send an acknowledgment after a certain delay tHackval. The situation 
depicted by HMSC of Figure 3 shows communications between a node and two 
children. Childi always sends an acknowledgment to its parent upon data recep- 
tion, while Child 2 always acknowledges data packets after the delay expiration. 
Furthermore, packets are never missed, but Childi can receive corrupted data, 
and retransmission and Hack packets may cross. The left part of Figure 3 shows 
the partial order associated with {HackJncompleteo Crossing)* . The right part 
of Figure 3 shows the same order after hiding the Parent, and all timer events. 
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Fig. 2. a) HMSC generating an unbounded crossing b) MSC c) pMSC 



Parent Childl CMld2 CMldl Child2 




Fig. 3. A part of RMTP2 protocol and a crown generated by hiding instance Parent 



It is clear that without breaking messages (or more precisely causal dependen- 
cies between distinct instances) the order obtained after projection can not be 
defined as a composition of finite communication patterns. 
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Fig. 4. The cHMSC in the right part is not a pHMSC. 



5 Projections and Compositional HMSCs 

In the previous section we saw that pHMSCs can describe behaviors that can- 
not be captured by HMSCs. Still, we might ask whether there is some graphical 
model for pHMSCs that involves only the non-erased events. Natural candidates 
for such a model are compositional HMSCs (cHMSC) [6], which correspond to 
a message relation that is defined on a given path, rather than on each node. 
Actually, both situations described in section 4 can be easily described by cHM- 
SCs. The main result of this section states that pHMSCs have equal expressive 
power with realizable cHMSCs. 

Since pHMSCs involve in general multi-type events we actually need enriched 
versions of MSCs and cMSCs, by allowing multi-type events. For simplicity we 
will assume in this section that the projections do not generate multi- type events. 
However, our constructions can be easily adapted to this case. 

We first note that cHMSCs are at least as expressive as pHMSCs. A formal 
proof will be given by showing later that one can decide whether a given pHMSC 
is equivalent to an HMSC, whereas this question is undecidable for cHMSCs. 

Figure 4 below gives a rough idea of what kind of behavior of cHMSCs cannot 
be expressed as the projection of an HMSC. In the cHMSC in the left part of 
Figure 4 two or more isolated send events a are matched after an arbitrary 
number of (3 messages. If we have to describe this behavior using a pHMSC, we 
would need for each event a a new process, that disappears through projection 
(processes (71,(72 in the middle part of Figure 4). More formally, for matching 
a sequence ci < • • • < e„ of sends on process A with a sequence /i < • • • < /„ 
of receives on process B, we need for each pair Ci, ft a new process (7^. If for 
instance C\ = C 2 , then ei < 62 < /i < /2, hence we do not have 62 < f 2 , that 
is we do not create a message from 62 to f 2 - Since the number of processes is 
fixed we therefore cannot describe the behavior of the cHMSC in the right part 
of Figure 4 by a pHMSC. 
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5.1 Comparing pHMSCs and cHMSCs 

From the previous examples, cHMSCs seem good candidates for describing pHM- 
SCs without multi-type events. We show in this section that pHMSCs correspond 
precisely to a subclass of cHMSCs, that of realizable cHMSCs. We recall that 
a cHMSC is called realizable, if every accepting path is labeled by an MSC. 
Throughout this section, H will denote an HMSC and H' = tt{H) its projec- 
tion. An event of the pHMSC H' will be denoted as non-erased event. 

Given a pHMSC, we will construct an equivalent cHMSC by guessing the 
type of the non-erased events. We check the types by restricting the transition 
relation of the cHMSC. Let M be an MSC with event set E and let M' = tte> (M) 
be the projection of M onto the set of events E' C E. We have to guess the type 
of some events e € M' (send/receive/local, to which process etc). For example, 
in Figure 3 we have to guess that the first event on Childi becomes a send to 
Child 2 in the projection. In order to verify that the guess was correct, we need to 
keep track of the processes occurring in the future of e within M . Among these 
processes we need also to know which processes are seen by a non-erased event 
e' > e (such processes are called dead, since no event / with e < / can occur on 
such a process). Hence, let us define for each non-erased event e G E': 

F(e) = {P{f) \ e < f G E} (future processes) 

DeadF(e) = [J F{e') (dead processes) 

e<e'GE' 

LiveF(e) = F(e) \ DeadF(e) (live processes) 

A non-erased event e G E' is called unchecked if LiveF(e) yf 0. When an 
event e is created, it is unchecked. Intuitively, e becomes checked as soon as we 
have the proof that it can have no more immediate successor in the projection. 
It is easy to test the guess for a checked event. If the guess is correct, then we can 
forget the event, else the guess was wrong and the current path is not accepting. 
We show that LiveF(e) = 0 means that e has no more immediate successor. Let 
e < e' be non-erased and p G E(e'). Assume by contradiction that e is matched 
by some non-erased event / after M with P{f) = p. We have that e < e' < /, 
hence a contradiction. 

The set of unchecked events of pMSC M' is denoted ToCheck(M'). The 
next lemma bounds the number of unchecked events on any path of a pHMSC 
p[' = e{H) polynomially in the number of processes. 

Lemma 1. Let p be an initial path of an HMSC H over p processes, and M' 
the pMSC defined by projecting p. Then \ ToCheck{M')\ < p^ . 

Theorem 1. Let H be an HMSC with n nodes over p processes, and consider 
a projection H' of H. Then we can construct a realizable cHMSC G that is 
equivalent to H' , of size K 

Our construction can be easily modified in the presence of multi-type events, 
for obtaining an extended realizable cHMSC. 
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A cHMSC is called b-bounded if for each initial path p, each prefix of p is 
labeled by a cMSC with at most b unmatched sends. Moreover, a realizable 
cHMSCs of size s is s-bounded. Although the cHMSC obtained in Theorem 1 
has exponential size, the number of unmatched sends is polynomial in the size 
of H (see Lemma 1). We can restate Lemma 1 as follows: 

Proposition 2. Let H' = 7r(iJ) be a pHMSC and let G be the realizable cHMSC 
constructed in Theorem 1. Then G is -bounded, where p is the number of 
processes of H. 

For the converse direction, we construct a pHMSC from a cHMSC by intro- 
ducing new processes for isolated events: 

Theorem 2. Realizable cHMSCs and pHMSCs (with no multi-type events) have 
the same expressive power. 

For example, for an HMSC H defined by a unique node with a self loop, 
labeled by a single message (s,r) from p to q, the cHMSC equivalent to the 
projection of H on {p} is a self loop on a local event of p corresponding to 
s. This event is not a send anymore, since it has no immediate successor on a 
different process. We actually need unmatched sends only when dependencies 
are not preserved by the trivial projection (without rebuilding the order). 



6 Atoms as Generators 

In this section we show how to construct a compact representation of the gener- 
ators (atoms) of a given realizable cHMSC G. This problem is directly related to 
the construction for a given realizable cHMSC G (or a pHMSC) of an equivalent 
HMSC, if it exists, and it involves the computation of the smallest MSCs that 
are factors of some MSC M G C{G). Formally, given a realizable cHMSC G 
we want to compute the set Gen(G) of generators of G defined as follows. An 
atomic MSC M belongs to Gen(G) if = N 1 MN 2 for some N G C{G) and 
some MSCs A^i , A ^2 • 

Clearly, for a realizable cHMSC to be equivalent to an HMSC, Gen(G) needs 
to be finite. At the end of the section we show that if Gen(G) is finite, then we 
can construct effectively an equivalent HMSC. 



6.1 An Automata-Based Representation of Generators 

We show now how to construct for a given realizable cHMSC G a finite automa- 
ton A{G) that accepts only linearizations of Gen(G) and such that for every 
M G Gen(G), at least one linearization of M is accepted by A{G). The idea is to 
have a non-deterministic automaton A{G) that works as follows. Given an exe- 
cution z G T(G), the automaton guesses a factor w of z containing a generator 
M G Gen(G) and extracts the events of M from w. Note that since we cannot 
choose the linearization z, such a generator M won’t be itself a factor of z. 
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The automaton -4(G) must check two conditions in the definition of the 
generating set Gen(G). First, we guess for each event e of the linearization z 
above a type k G {0, 1, 2}, telling whether e belongs to Ni {k = 0), to M {k = 1) 
or to N 2 {k = 2). In addition, we check whether the guessed type is consistent, 
that is, that every send is of the same type as its associated receive. This will 
guarantee that fVi, A ^2 and M are all complete MSCs. The strategy is that -4(G) 
will read the HMSC G and write or not an event e read according to its guess 
whether e G M or not. 

The harder part is that -4(G) must check that M is atomic. Proposition 1 
gives an algorithm for verifying that a given MSC M is atomic, checking that 
the connection graph CG{M) is strongly connected. 

We have now to test whether an MSC M is atomic using a finite automaton, 
that takes as input some arbitrary linearization of M . However, we cannot use 
directly the algorithm of [9], since the number of connected components is not 
bounded. In order to handle this, we restate the result of [9] as follows: 

Proposition 3. Let M he an MSC. Then M is atomic if and only if for every 
pair of processes p,q, there is a path in CG{M) from the last event of p to the 
first event of q. 

We say that an event e of M sees another event / if there exists a path from 
e to / in CG{M). 

The main idea behind the construction of -4(G) is to keep some information 
for two kinds of events. First, -4(G) needs to record the last event in M (type 
k = 1) on each process. Let lastp denote the last event on process p seen so far 
by -4(G). Moreover, -4(G) needs to take into account the unmatched send events 
in M (type fc = 1). Let S denote the set of these sends. The set S contains at 
most b sends, where b is the size of the cHMSC G. 

Let X = {lastp | 1 < p < p} U 5. Now, for each pair (x,p) £ X x {!,... , p} 
we record an integer T(x,p) G {0, 1,2} telling whether x sees the first p-event 
in M (T{x,p) = 2), or whether x sees lastp but not the first p-event in M 
(T{x,p) = 1), or whether it sees no p-event in M at all (T{x,p) = 0). Actually, 
-4(G) uses a ’’vision” function T : x,p £ X x V 1 -^ T{x,p), and a function 
S' : cc G X !->• A(x) where S{x) C S denotes the unmatched sends seen by x. 

Clearly, computing the vision function of each event lastp suffices for decid- 
ing whether CG{M) is strongly connected. This idea is used in the following 
construction. 

Theorem 3. Let G he a realizable cHMSC. Then we can construct effectively a 
finite automaton -4(G) that accepts only linearizations of Gen{G), such that for 
every M £ Gen{G) at least one linearization of M is accepted by -4(G). 

Using the automaton constructed in Theorem 3 we can test whether a given 
realizable cHMSC (or a pHMSC) is equivalent to an HMSC in polynomial space: 

Theorem 4. Ghecking whether Gen{G) is finite for a given realizable cHMSG 
G (pHMSG G, resp.) can he done in PSPAGE. Moreover, the problem is co-NP- 
hard. 
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6.2 From Realizable cHMSCs to HMSCs 

We have an algorithm for checking whether the MSC executions of a realizable 
cHMSC G are finitely generated. We show in this section how to construct effec- 
tively an equivalent HMSC H, in case that the answer is positive. For simplicity, 
we will assume that states of G are labeled by single events. 

Let Gen(G) be the finite set of atoms of the realizable cHMSC G. We de- 
note by maxsize the size of the largest atom of Gen(G) and by b the bound on 
unmatched sends on paths of G. 

We first describe intuitively the construction. The HMSG H will have states 
labeled by the atomic MSGs in Gen(G). In addition, we will label each state with 
some information concerning paths of G that can correspond to the sequence of 
atoms read so far in H . This additional information consists of a sequence of 
segments of a path of G (i.e. a sub-path), that match this sequence of atoms. 
That is, each time we read an atom A G Gen(G), we guess new segments of the 
path of G that correspond to the MSG A. We keep track of path segments by 
recording only the first/last node of each segment and the processes occurring 
in the segment. Hence, all we need is that the number of segments is bounded 
(see the claim below). 

We first define the HMSG H. Let Path be the set of sub-paths of G consisting 
of at most (6-1-1) -maxsize segments. The set of nodes of is P = Gen(G) xPath. 
A node {A, p) G V is labeled by A. Moreover, there is an edge in H from a node 
{A,p) to {A' ,p') iff p C p' , and A(p') = \{p) o A. Here, we write p C p' if p is 
included in p', i.e. each segment of p is included in a segment of p', and in the 
same order. The initial node is (0, e), and the final nodes {A, p) are those where 
p is a one-segment, accepting path of G. 

Theorem 5. Let G be a eHMSC where Gen{G) is finite. Let n be the number of 
nodes ofG, e the number of events, maxsize the maximal size of MSCs in Gen{G) 
and b the maximal number of unmatehed sends on initial paths of G. Then we 
ean eonstruct an equivalent HMSC H from G of size 0((n^^ • 2^^ ■ e)^(^^sizey 

Proof. Let M G C{H), then there exists an initial path of G labeled by M. 
Gonversely, let us consider an MSG M = Ai - ■ ■ A„, where each Ai belongs to 
Gen(G). This MSG labels an accepting path p = vi ^ ^ Vk of G. 

For simplicity, we extend the visual order of M to the atoms Ai by letting 
Ai < Aj if there are some events e in A^, / in Aj with e < /. Now, we will 
assume w.l.o.g. that for every i < j such that Ai ^ Aj the first event of Ai in 
p comes before the first event of Aj in p. That is, we choose an ordering of the 
atoms of M according to their first occurrence in p. 

Claim: Let I G {I, . . . ,n} and let p; be the sequence of segments of p labeled 
by Ai • • • A;. Then p; consists of at most (6 -f 1) • maxsize segments. 

proof of the elaim: We denote by p) the longest prefix of p that contains no 
event of Aj . Let also m be such that pfn is the longest prefix p) with j <1. 

The pMSG labeling pfn has at most 6 unmatched sends, among which b' sends 
belong to p;. Thus, b” = b — b' is the number of unmatched sends in p^ \ pi (the 
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difFerence of two paths is obtained by deleting the nodes of the second path from 
the first one). 




We claim first that there is no complete atomic MSC Ap in \ Pi- To see 
this, note first that such a complete MSC Ap must satisfy p > 1. However, it 
can satisfy neither {Ap ^ Am and Am ^ Ap), by the choice of the ordering 
A\ ■■■An, nor Am < Ap, since p^ has an empty intersection with Am- Since 
each incomplete atom of fPn \ pi contributes with at least one unmatched send 
in p{^, we obtain that there are at most h" ■ (maxsize — 1) events in p^ \ pi, thus 
at most b" ■ (maxsize — 1) -I- 1 segments in pi fl p^. 

Moreover, by definition of m there is just one new atom starting in pi \ pjjj, 
namely Am- Hence there are at most 6' -|- 1 different atoms in pi \ p^ (&' that 
started already in p^ plus Am)- This yields at most (6' -I- 1) • maxsize events in 
Pi \ Pm^ hence at most {b' 1) • maxsize segments. Therefore, we conclude that 

Pi contains at most {b' + b" + 1) • maxsize = (6 -I- 1) • maxsize segments. 

Concerning the size of H, for each path segment it suffices to remember the 
first/last node, and the processes that occurred in the segment. This gives at 
most (|Gp • = 22^dog(|G|)-i-p)maxsize p^ths consisting of less than 

b ■ maxsize segments. □ 

Example: Let G be a cHMSC with 4 states Q, R, S, T, labeled respectively by 
s, s, r, r where s is a send on process 1 corresponding to a receive r on process 
2. There are edges from Q to R, R to S, S to R, and S to T. Let A be the atom 
consisting of the message (s,r). The set of atoms of G is {H}, hence each state 
of H is labeled by A (or 0). We describe some of the resulting states of H: 

— Si is the state [Q, {!}]; [S', {2}], consisting of two segments, one being a path 
from Q to Q and the other from S to S, 

— S2 is the state [Q,{1}]; [T, {2}]), 

— S3 is the state ([Q, S, {1, 2}]; [S, {2}]) consisting of two segments, one being 
a path from Q to S, the other the path from S to S, 

— S4 is the (final) state ([Q, T, {1, 2}]). 

We have for instance edges from (e, 0) to si and S2- However, S2 is a bad guess 
(that is, it will never reach the final state S4). The reason is it cannot be ex- 
tended by A: the segment [T, {2}] forbids using the node V3, since it already 
contains process 2. There are edges from si to S3, S3 to S4, si to S4 and a 
loop on S3. The loop on S3 corresponds to the guess of a scattered sub-path 
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[i?, {!}]; [S', {2}] labeled by A, and to the guess [i?, {!}] making the connection 
between ([Q, S, {1, 2}] and [S, {2}]), while [S, {2}] is a disjoint segment. 

Since there are at most atoms, ff is of exponential size. A priori, 

maxsize can be exponential in the size of the pHMSC, yielding an HMSC of 
doubly exponential size, but we believe this to be very unlikely. Actually, showing 
that maxsize is polynomial is as hard as showing that “Gen(G) finite?” is NP- 
complete. 

7 Model-Checking HMSCs against HMSCs 

Validating HMSCs specifications allows detection of inconsistencies or undesired 
behaviors at early design stages. However, model-checking HMSCs specifications 
against properties specified by HMSCs is undecidable, in general (see e.g. [2, 
13]). Several papers considered restrictions of HMSCs [2,13,8], for which model- 
checking becomes decidable. The first positive results were obtained for bounded 
HMSCs [2,13], for which the set of MSC-linearizations is regular. A large family 
of HMSCs ensuring decidability of model-checking is given by the globally co- 
operative property [4] . An HMSC is globally cooperative if every loop is labeled 
by an MSC M that cannot be written as M = Mi o M 2 , where Mi, M 2 are 
non-empty MSCs over disjoint sets of processes. 

We consider in this section model-checking for pHMSCs against HMSC prop- 
erties and we show two settings for which the problem is decidable, with the same 
complexity as for HMSCs. 

The next theorem shows that model-checking remains decidable, if the 
pHMSC is arbitrary, but the HMSC property is globally cooperative: 

Theorem 6. Let G he a globally cooperative HMSC, H an HMSC and tte{H) a 
projection of H . Then we can check in PSPACE whether C{tte{H)) n£(G) = 0, 
and in EXPSPACE whether L{tte{H)) C £(G). 

Even if the complexities we stated are rather high, note that in practice both 
the HMSC property and the reduced specification (the HMSC projected on a 
small part) can be reasonably small. 

The second decidability result is based on the fact that the projection of a 
bounded HMSC preserves the boundedness. 

Theorem 7. Let G be a bounded HMSC, H an HMSC and tte{G),'Ke'{H) 
their respective projections. Then we can check in PSPACE whether L{t:e{G))C\ 
C{tte'{H)) = 0, and in EXPSPACE whether L{tte'{H)) C L{tte{G)). 

The last result shows that we can compare two projections of HMSCs (e.g. 
in order to find common parts), as long as one of them is bounded, with the 
same complexity as for bounded HMSCs. 




High-Level Message Sequence Charts and Projections 325 



8 Conclusion 

In this paper we defined projections of HMSCs and showed how to decide whether 
an HMSC projection can be represented as an HMSC. This notion of projection 
can then be used to perform model-checking when at least one of the HMSCs 
considered is either globally cooperative or bounded. Even when model-checking 
is not possible, HMSC projections may still be useful for a designer for extracting 
causality information from scenario descriptions. As already pointed out, the 
projection of an HMSC may result in a larger HMSC. However, this is just a 
worst-case estimation that is unlikely in practice. For example, hiding a complete 
instance would probably have a greater impact on the shape of the projection 
than a random choice of the hidden events. Moreover, the presence of unbounded 
crossings or crowns may reveal some properties of the system under study. For 
example, when a projection hides the communication medium, the presence of a 
crown can indicate the impossibility to save a consistent global snapshot of the 
system in some executions. 
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Abstract. We describe a probabilistic polynomial-time process calculus 
for analyzing cryptographic protocols and use it to derive composi- 
tionality properties of protocols in the presence of computationally 
bounded adversaries. We illustrate these concepts on oblivious transfer, 
an example from cryptography. We also compare our approach with a 
framework based on interactive Turing machines. 

Keywords: cryptographic protocols, probabilistic process calcu- 

lus, computational security, composition theorem 



1 Introduction 

The design and verification of security protocols is a difficult problem. Some of 
the difficulties come from subtleties of cryptographic primitives. Further difficul- 
ties arise because security protocols are required to work properly when multiple 
instances of the protocol are carried out in parallel, where a malicious intruder 
may combine data from separate sessions in order to confuse honest partici- 
pants. Moreover, although the protocols themselves are often very simple, the 
security properties they are supposed to achieve are rather subtle and should be 
formulated with great care. 

A variety of methods are used for analyzing and reasoning about security 
protocols. Although such methods differ in significant ways, many of them 
reflect the same basic assumptions about the way an adversary may interact 
with the protocol or attempt to decrypt encrypted messages . In the common 

* Partially supported by FCT grant SFRH/BPD/5625/2001, and by FEDER/FCT 
project Fiblog POCTI/2001/M AT/37239. 

** Partially supported by OSD/ONR MURI “Semantic Consistency in Information 
Exchange” as ONR Grant N00014-97-1-0505, and by OSD/ONR CIP/SW URI 
“Software Qnality and Infrastructure Protection for Diffuse Computing” as ONR 
Grant N00014-01-1-0795. 

*** Partially supported by OSD/ONR MURI “Semantic Consistency in Information 
Exchange” as ONR Grant N00014-97- 1-0505, by OSD/ONR CIP/SW URI “Software 
Qnality, Infrastructure Protection for Diffuse Computing” as ONR Grant N00014- 
01-1-0795, and by NSF Grant CCR-0098096. 



R. Amadio, D. Lugiez (Eds.): CONCUR 2003, LNCS 2761, pp. 327-349, 2003. 
© Springer- Verlag Berlin Heidelberg 2003 




328 



P. Mateus, J. Mitchell, and A. Scedrov 



model, largely derived from [10] and suggestions found in [24], a protocol ad- 
versary is allowed to choose among possible actions nondeterministically. This 
is a convenient idealization, intended to give the adversary a chance to find an 
attack if there is one. In the presence of nondeterminism, however, the set of 
messages an adversary may use to interfere with a protocol must be restricted 
severely. Although the idealized assumptions make protocol analysis tractable, 
they also make it possible to “verify” protocols that are in fact susceptible to 
simple attacks that lie outside the adversary model. Another limitation is that 
a deterministic or nondeterministic setting does not allow us to analyze proba- 
bilistic protocols. In other words, actual protocols use actual cryptosystems that 
may have their own weaknesses, or might employ probabilistic techniques not 
expressed in the idealized model. 

Recently there have been several research efforts to relate the idealized model 
to cryptographic techniques and the computational model based on probabilis- 
tic polynomial-time computation, including [7,16,23,25,26,3,2,9,4]. While these 
efforts develop rigorous mathematical settings carried out so far only “by hand” , 
it is hoped that they will eventually lead to a new generation of “high fidelity” 
automated tools for security analysis that will be able to express the methods 
and concepts of modern cryptography. 

Our initial contribution to this line of research was a formulation of a pro- 
cess calculus proposed in [16,23] as the basis for a form of protocol analysis 
that is formal, yet closer in foundations to the mathematical setting of modern 
cryptography. The framework relies on a language for defining communicat- 
ing polynomial-time processes. The reason we restrict processes to probabilistic 
polynomial time is so that we can reason about the security of protocols by 
quantifying over all “adversarial” processes definable in the language. In effect, 
establishing a bound on the running time of an adversary allows us to relax the 
simplifying assumptions. Specifically, it is possible to consider adversaries that 
might send randomly chosen messages, or perform sophisticated (yet probabilis- 
tic polynomial-time) computation to derive an attack from messages it overhears 
on the network. An important aspect of our framework is that we can analyze 
probabilistic as well as deterministic encryption functions and protocols. With- 
out a probabilistic framework, it would not be possible to analyze an encryption 
function such as [11], for which a single plaintext may have more than one ci- 
phertext. 

Some of the basic ideas of our prior work are outlined in [16,23]. Further 
example protocols are considered in [17]. The closest technical precursor is [1], 
which uses observational equivalence and channel abstraction but does not in- 
volve probability or computational complexity bounds. Prior work on CSP and 
security protocols, e.g., [28,29], also uses process calculus and security specifica- 
tions in the form of equivalence or related approximation orderings on processes. 

This approach is based on the intuition that security properties of a protocol 
P may be expressed by means of existence of an idealized protocol Q such that for 
any adversary M , the interactions between M and P have the same observable 
behavior as the interactions between M and Q. The idea of expressing security 
properties in terms of some comparison to an ideal protocol goes back at least to 
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[15,6,5,20]. Here we emphasize a formalization of this idea by using observational 
equivalence, a standard notion from programming language theory. That is, two 
protocols P and Q are observationally equivalent if any program C[P] has the 
same observable behavior as the program C[(5], with Q instead of P. The reason 
observational equivalence is applicable to security analysis is that it involves 
quantifying over all possible additional processes represented by the contexts 
C[ ] that might interact with P and Q, in precisely the same way that security 
properties involve quantifying over all possible adversaries. Our framework is a 
refinement of this approach. In our asymptotic formulation [16,23], observational 
equivalence between probabilistic polynomial-time processes coincides with the 
traditional notion of indistinguishability by polynomial-time statistical tests [13, 
30], a standard way of characterizing cryptographic primitives. 

In this paper we derive a compositionality property from inherent structural 
properties of our process calculus. Basically, compositionality states that com- 
posing secure protocols remains secure. We obtain a general result of this kind 
in two steps. We consider a notion of a secure realization, or, emulation of an 
ideal protocol, motivated by [7] but here expressed by means of asymptotic ob- 
servational equivalence. We show that the notion of emulation is congruent with 
the primitives of the calculus. Compositionality follows because the security re- 
quirements are expressed in the form that a real protocol securely realizes an 
ideal protocol. 

We also illustrate some of these concepts on a traditional cryptographic ex- 
ample of oblivious transfer [27,12,14,9]. We show how the natural security re- 
quirements may be expressed in our calculus in the form that a real protocol em- 
ulates an ideal protocol. Finally, we establish an important relationship between 
the process calculus framework and the interactive Turing machine framework 
discussed in [7,9,25,26,3]. Indeed, the work based on [7] provides an encyclope- 
dic treatment of a number of security requirements in a compositional setting. 
However, the framework of interactive Turing machines, even if optimal to deal 
with complexity results, is rather low-level and does not seem naturally suited 
for specification of and reasoning about cryptographic protocols. Moreover, the 
framework of interactive Turing machines comes about from the connections be- 
tween cryptography and complexity, and therefore, some effort must be spent to 
obtain structural results, such as the composition theorem. 

Basic definition and properties of the process calculus are discussed in Sect. 2. 
In Sect. 3 we discuss the notion of emulation, prove a general composition the- 
orem, and analyze the example of oblivious transfer. A comparison to the in- 
teractive Turing machine model is given in Sect. 4. We conclude the paper in 
Sect. 5. 



2 Probabilistic Polynomial-Time Process Calculus 

In this section, we describe a version of the probabilistic polynomial-time process 
calculus [16,23], with the intention of using of the calculus to derive composi- 
tionality properties of secure protocols. 
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2.1 Syntax 

We assume as given once and for all a countable set C of channels. In a discussion 
of security protocols it is common to consider a security parameter n G N. From 
now on, the symbol n is reserved to designate such security parameter. The role 
of this parameter is twofold. It bounds the length of expressions that can be sent 
through each channel by a polynomial in \n\, the length of n. This is written 
into the syntax: we introduce a bandwidth map w : C — >■ q, where q is the set 
of all polynomials in one variable taking positive values on natural numbers. 
Given a value n for the security parameter, a channel c can send messages with 
at most w(c)(|n|) bits. It turns out that the security parameter also bounds all 
the computation in the calculus by probabilistic polynomial time. This property 
the calculus is proved in [23]. 

The protocol language consists of a set of terms, or functional expressions 
that do not perform any communication, and processes, which can communicate 
with each other. 

We assume a set of numerical terms T (endowed with a set of variables 
V ar) with the following two properties. For any probabilistic polynomial (in the 
length of the security parameter n) time function / there is a term t G T and 
the associated probabilistic Turing machine Mt that computes /. Furthermore, 
given any term t G T, the associated probabilistic Turing machine Mf is always 
probabilistic polynomial time, PPT, with input n and the numerical values of 
variables of t. (An example of such a set of terms T is described in [22], but 
the details of the construction are not needed here.) In order to ease notation, 
we shall confuse a term t{x) with the a probabilistic polynomial time function 
f{x,n) associated to the PPT machine Mt- Hence, one can envision T simply 
as the set of all probabilistic polynomial time functions, neglecting any further 
syntax. Once again, mind that all terms denote probabilistic polynomial time 
functions in the length of the security parameter n. After fixing n, we denote by 
P{t{a) — >• a) the probability of Mt(a, n) converging to a and P{t{a) — t'{b)) the 
probability of both associated Turing machines converging to the same value. 

We now present our language of process expressions, a version of Milner’s 
Calculus of Communicating Systems, CCS [21]. Bear in mind, though, that for 
us the overall computation must be probabilistic polynomial time and hence we 
use only polynomially bounded replication. 

Definition 1. The language of process expressions C is obtained inductively as 
follows: 

1. 0 G £ (empty process: does nothing); 

2. Vc-Q G £ where c G C and Q G C (private channel: do Q with channel c 
considered private); 

3. {t)c G C where t G T and c G C (output: transmit the value of t on channel 

c); 

4. {x)c-Q G £ where c G C, x G Var and Q G C (input: read value for x on 
channel c and do Q); 

5. [ti = t 2 ].Q G £ where t\,t 2 GT and Q G C (match: if t\ = t 2 then do Q); 
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6. (Q1IQ2) G C where Qi, Q2 G C (parallel composition: do Q\ in parallel with 
Q2)', 

7 . IqQ G C where Q € C and <7 G q (polynomially bounded replication: execute 

<7(|n|) copies of Q in parallel). 

Every input or output on a private channel must appear within the scope of 
a i^-operator binding that channel, that is, the channel name in the scope of a 
i^-operator is considered bound. A process is a process expression in which the 
security parameter is replaced with a fixed natural number. Observe that the 
length of any process expression in C is polynomial in \n\. 

For each fixed value k of the security parameter, we can remove replication 
by replacing each subexpression IgR of an expression Q by q{\k\) copies of R in 
parallel, denoted Qj.. 

Let us also fix the following terminology and useful conventions. We assume 
that in any process expression in C private channels are named apart from other 
channels, which we call public. Analogously to first-order logic, a variable x is 
said to occur free in a process expression Q G £ if there is an occurrence of x 
that does not appear in the scope of a binding operator {x)c- The set of all free 
variables of Q is called the parameters of Q and is denoted by Pq. A process 
expression without parameters is called closed. 

Intuitively, messages are essentially pairs consisting of a “channel name” 
and a data value. The expression (M)^ places a pair (c, M) onto the network. 
The expression (x)c.P matches any pair (c,m) and continues process P with x 
bound to the least significant w(c)(|n|) bits of value m, because of the bandwidth 
restrictions. When (x)c.P corresponds to a pair (c, M), the pair (c, M) is removed 
from the network and is no longer available to be read by another process. 
Evaluation of {x)c-P does not proceed unless or until a pair {c,m) is available. 

Although we use channel names to indicate the intended source and destina- 
tion of a communication, any process can potentially read any message, except 
when a channel is bound by the i^-operator, hiding communication. However, 
we only intend to use private channels for ideal specifications and for model- 
ing various initial conditions in protocols regarding secret data, but we do not 
use private channels for modeling actual protocols. This communication model 
allows an adversary (or any process) to intercept a message between any two 
participants in a protocol. Once read, a pair is removed so that an adversary has 
the power to prevent the intended recipient from receiving a message. An adver- 
sary (or other process) may overhear a transaction without interfering simply 
by retransmitting every communication that it intercepts. 

Observe that the output primitive of the calculus allows us to compute the 
image of a probabilistic polynomial time function / into some value a and send a 
through a channel c (or part of it if the bandwidth of c is too small) . Moreover, 
the matching condition endows the calculus with the possibility of checking 
whether two terms converge to the same value. As we shall see, by combining 
these primitives we give a lot of power to the calculus. 

In order to illustrate the flexibility of the process calculus we present the 
following two examples: 
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Example 1 (RSA encryption and decryption). Start by considering a very simple 
process S that knows some message M and integers a, m and just outputs M“ 
mod m, this dummy process can be presented as S{M) := (M“ mod m)„. Let 
us develop this just a bit more, and consider a remote procedure that receives 
X and outputs x°“ mod m. This procedure can be modeled by the following 
process: RP := {x)c-S{x). 

Finally, consider that p, q are primes, and a, b are integers such that ab = 1 
mod (p{pq). Consider the process RSA{a,b,pq) := Send(M) | Rec, where 
Send(M) := (M“ mod pq)u and Rec := -{x)u-{x^ modpq)u'- Here the 

sender sends a message encrypted with the receiver’s encryption key a and the 
receiver decrypts with its decryption key b and stores the plaintext privately. 



Example 2 (Modular sequential composition) . Suppose that a process Q{c — >■ u) 
receives inputs through public channels c, works these inputs in some way, and 
returns relevant outputs through public channels u. If another process R needs 
at some point to use Q, R just needs to feed Q with the required inputs, say 
i and wait for Q to output through channels u. Indeed, process R could be 
defined, for instance, as R := {i)c\{x)u- R'\Q{c — >■ u). 



2.2 Semantics 

The semantics of a process Q is a Markov chain S{Q) over multisets of a special 
kind of processes, which we call eligible. Intuitively, the states of S{Q) represent 
reduction stages of the process and the transitions denote probabilistic choices 
between reductions. Recall that only the values on public channels are observed, 
and thus in the semantics these channels have special status. 

The initial state oi S{Q) is the multiset consisting of certain subprocesses 
of Q running in parallel, that is, if Q = Qi I • • • \Qm then = {<5i, . . . Qm} 
where the head operator of each Qi is not parallel composition. This setting 
captures the idea that in the initial state all such subprocesses are available 
for reduction. Actually, one obvious exception to this construction needs to be 
considered: if Q = 0 then there is no process to be reduced, and so, is the 
empty multiset. At this stage, we assume that the security parameter n is fixed, 
and therefore, all iterations have been replaced by parallel compositions. 

Taking into account the discussion above, it is clear that we have to dis- 
tinguish processes with head operator different from parallel composition. We 
call all these processes eligible for reduction and they can be defined formally as 
follows: 

Definition 2. The set of eligible processes £ is defined inductively as follows: 

— 0 e 

— (t)c G £ where t G T and c € C; 

— (x)c-Q G £ where c € C, x € Var and Q € C; 

— [ti = t 2 ].Q G £ where ti,t 2 G T and Q € C; 
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In order to present the operational semantics, we set some notation on finite 
multisets. A finite multiset A4 over a set L is a map : L — >■ N such that 
is finite. The difference of A4 and A4' is the multiset A4 \ A4' where 
(A4 \A4')(l) = max(0,M(l) — The union of two multisets M. and M' is 

the multiset M\JM' where + We say that M C M' 

iff M{1) < for all I G L. Furthermore, we say that I G M iS {1} C M. 

Finally, we call pfm{L) the set of all finite multisets over L. 

As discussed above, given a process Q = Qi \ . . . \Qm we need to construct the 
initial state = {Qi, ■ . ■ Qm} where Qi is an eligible process. This construction 
is also useful during reduction, since after reducing some processes more parallel 
compositions may appear. 

To deal with the binding channel operator v we consider a set of fresh chan- 
nels F and a fresh function 

fresh : C ^ F 

that maps a channel c to a fresh channel c' (that is, that does not occur anywhere 
else) such that w{c) = w(c'). This fresh function insures that one can find a 
channel c' not occurring in any other process and therefore c' can be considered 
private to some process at hand. As expected, the communication through these 
channels is not observed. 

Once again, at this step we assume a fixed security parameter n and that all 
iterations have been replaced by parallel compositions. 

Definition 3. Given a process Q G £ without iteration we obtain the multiset 
of sequences of Q, which we denote by Alg, as follows: 

— Mq = {} whenever (5 = 0; 

— Alg = {(5} whenever Q is eligible and different from 0; 

— Mq = whenever Q = Uc-R and where Rf^g^^Q is the process 

where all free occurrences of c where replaced by fresh(c); 

— Mq = Mq! U Mq" whenever Q = Q'\Q" . 

Instead of presenting the semantics with probabilistic labeled transition sys- 
tems as in [16,23], here we will use an alternative: Markov chains, a well- 
established concept from the stochastic processes community, following the style 
in [19]. 

Recall that a Markov chain A over a set S can be modeled as a state machine 
with state space S where transiting from state s to state s' has probability 
0 < A(s, s') < 1. Obviously, these probabilities are such that for any s G S' 

^ A{s,s') = 1. 
s'es 

Example 3. The following simple Markov chain models the stochastic process of 
independently tossing a fair coin ad nauseam: 

1 / 2 ^ 1/2 ^ 1/2 
Heads , Tails 



1/2 
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Markov chains are specially suited to model the semantics of the process 
algebra, since, like in [16,23], process reduction is probabilistic and depends 
only of the (multi)set of subprocesses that remain to be reduced. Thus, the 
semantics of a process Q is a Markov chain over the multisets of eligible process 
subprocesses of Q. 

In order to establish the semantics for all processes, one can consider a huge 
Markov chain S, that given any multiset of eligible processes decides, accordingly 
to some probabilistic rules, which terms should be reduced. Such Markov chain 
is usually called a scheduler. Hence, given a multiset M of eligible processes 
there is a probability of reducing M to Ad'. The semantics of a single 

process Q is recovered by restricting the scheduler S to the states reachable from 
the multiset Mq of sequences of Q. 

Note that one can not accept any Markov chain as a scheduler. For instance, 
if the scheduler is at state {}, and therefore there is no process to reduce, the 
scheduler can not transit to, say, {Q} with positive probability. In other words, 
S'({}, {Q}) must be zero. Hence, if the scheduler transits from one state to an- 
other with positive probability then at least one reduction must be enabled. For 
this reason, it is relevant to enumerate all possible reductions: 

1. Term reduction: a term not in the scope of any input is reduced. 

2. Match: a match between terms occurs. 

3. Mismatch: a mismatch between terms occurs. 

4. Communication: two processes communicate via an input and output. 

5. Termination: none of the previous reductions is enabled (and so reduction 
has terminated). 

Communication has lower priority than term reduction, match and mismatch. 
Hence, communication is only enabled when none of the previous mentioned 
reductions are enabled. As stated before, each reduction impose restrictions on 
the scheduler. For instance. Termination imposes that if there is no reduction 
enabled at state A4 then S{Ai,Ai) = 1. All other restrictions are more else 
obvious and are captured in the following definition. 

Definition 4. A scheduler S for a security parameter n is a Markov chain with 
state space pfm{£) such that if > 0 then one of the following con- 

ditions hold: 

1. Term reduction: {t)c € A4i and AI 2 = (A4i\{(t)c})U{(m)c}; (t)c not in the 
scope of any input, t does not have any free variables, t evaluates to m' with 
positive probability and m corresponds to the least significant ■u;(c)(|n|) bits 
of to'; the transition probability is given by 

-5'({(i)c},{(m)c}) = P{t^m'). 

2. Match: [t\ = t 2 ]-Q G M\ where ti,t 2 are closed terms and M 2 = {Mi \ 
{[ti = t 2 ].Q}) U Mq; the transition probability is given by 

S{{[ti = t2].Q},{Q}) = P{h = t2). 
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This transition is probable whenever there is a match expression in Ai\ and 
t\ evaluates to the same value than t 2 with positive probability. 

3. Mismatch: [ti = t 2 ]-Q G M\ where ti,t 2 are closed terms and M 2 = {Mi \ 
{[fi = t 2 ]-Q})', the transition probability is given by 

S{{[ti=t2].Q},{})=P{tl^t2). 

This transition is probable whenever there is a match expression in M\ and 
t\ evaluates to a different value than t 2 with positive probability. 

4. Communication: {(to)c, {x)c-Q} C Mi; all other transitions are not probable 
forA4i; = (^i\{(nT'}c, (x)c-Q})UMq^ where stands for the process 
where we substitute all (free) occurrences of a; by m in Q; This transition is 
probable whenever there is a pair input/output for a channel c in and 
no term reduction, match or mismatch transition is probable. 

5. Termination: M\ = M 2 ; S{M\tM 2 ) = 1; and all other transitions are 
not probable for Mi- Whenever all reductions were made, the only enabled 
transition is the loop over the same state, which means that the reduction 
has terminated (and therefore Af 1 is an absorbing state). 

Note that from a practical view point, a scheduler can be seen as a process 
dispatcher, that decides, based on some policy, which is the next process to 
reduce. Moreover, schedulers are expected to have the following good properties: 

1. Channel and variable independence: probabilities are independent of the 
names of the channels and variables, that is: 

— S(Mi, M 2 ) = S(Miy, M 2 y) provided that x occurs free with respect 
to y in all processes of Mi and M 2 - 

— S(Mi, M 2 ) = S(Mi{),M 2 d) where w(d) = w(c) and d does not occur 
in all processes oi M\ and M 2 ; 

2. Environment independence: probabilities are independent of the processes 
which are not involved in the transition, that is 

S{Mi,M2\M<TMiCM2) = S{Mi\M,M2\M). 

3. Computational efficiency: the scheduler is modeled by a probabilistic poly- 
nomial time Turing machine. 

It is straightforward to check that the scheduler that gives uniform distribution 
to all possible transitions verifies the above properties. 

As stated before, the operational semantics for a process Q is defined by 
restricting the scheduler. 

Definition 5. Given a process Q and a scheduler S, the operational semantics 
of Q is the subMarkov chain S{Q) of S consisting of all states reachable from 
Mq such that S{Q)^ = Mq that is, the initial state of S{Q) is Mq. 

Note that the loops in S{Q) are the absorbing transitions, and hence, all the 
states are either transient or absorbing. This fact implies that for k sufficiently 
large we have P{S{Q)^ = S{Q)^^"^) = 1 for all m G N. In other words, any 
random sampling of S{Q) will end in an absorbing state, and therefore S{Q) 
always terminates. This is more or less expected, since in [23] it has been shown 
that S{Q) can be modeled by a PPT machine and so, S{Q) always terminates. 
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2.3 Observations 

In order to establish the observations of a process Q, we consider a modulated 
Markov process K{Q) = (S{Q), 0 {Q)) where 0 {Q) is the stochastic process of 
observations of Q. The term modulated here means the probability distribution 
over the observations is computable from the distribution over the states. 

This process is dehned as expected: when a communication with a pub- 
lic channel occurs the pair (channel, output) is observed; when another type of 
transition occurs nothing is observed, which is modeled by the special symbol r. 
Hence, the set of observations is (C x N) U {r}. Naturally, the probabilities of 
the observations are guided (modulated) by the probabilities on S{Q). Given a 
scheduler S, we can obtain the global observation process K{S, 0 ) as follows: 

Definition 6. Given a scheduler S and a security parameter n, we define the ob- 
servation modulated Markov proeess K = (S', O) where O is a stochastic process 
over ([/ X N) U {t} such that: 

— AT((Adi, oi), (Ad2, 02)) = S{Mi,M2) whenever one of the following condi- 
tions hold: 

• 02 = (c, to) and the public channel c outputs to in the transition of Adi 
to Ad 2 in S (note that c can not be a fresh channel); 

• 02 = T and the transition from Adi to Ad 2 in S was not a communication 
over a public channel. 

— AT((Adi, oi), (Ad2, 02)) = 0 for all other cases. 

Observe that K is indeed a Markov process modulated by S, since there exists 
a function / such that AT((Adi, oi), (Ad2, 02)) = S(Adi,Ad2)/(Adi, Ad2). Once 
again, by restricting K to S{Q) we obtain the required modulated stochastic 
process of observations K{Q) for the process Q. For the sake of easing notation 
we denote the set of all observations by 0& = (C/ x N) U {r}. 

In order to establish observational equivalence, we need to compute the prob- 
ability of observing some output o G Ob at any point of the reduction trace. We 
denote this probability by P{o G T) and it can be computed as follows: 

Definition 7. Given an observation process K = (S, 0 ) the probability of ob- 
serving some output o G Ob at any point of the reduction trace is 

00 / ^ 

P(oGT) = ^P /\o^gC, 
i=l \i=l 

1 ^ f {o| if J = * 

wherea = |o6 \{o} otherwise ' 

After fixing a scheduler S, the probability of the trace outputting o is calcu- 
lated by an infinite series. Each term of the series represents the probability of o 
being output for the first time at the i-th reduction step. Hence, for any process 
Q, T{Q) measures the probability of generating the output o at any point of 
its reduction. 

Next, we present a toy example to articulate the concepts discussed above. 
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Example 4- Start by considering the following simple process expression Q 

< Rand + 1 >c | {x)c-{x + l)d | (2)d | {y)d-{y + l)e 

where Rand is a uniform Bernoulli random variable taking values over {0,1} 
(that is, it has ^ probability of taking value 0 or 1). The multiset of sequences 
of Q is 



Mq = {< Rand + 1 >c, {x)c-{x + l)d, (2)d, {y)d-{y + l)e|- 

We proceed by considering three different types of schedulers. For the sake of 
simplicity we skip over some additions. 

1) Assume that the scheduler gives more priority to reducing the leftmost pro- 
cesses than to reducing the rightmost ones. For this particular example, we 
assume that Mq is ordered just to express clearly which terms are reduced first 
by the scheduler. In that case S{Q) is as follows: 



{(Rand -|- 1), (x)c.(a; -I- 1)^, (2)d, {y)d-{y + l)e} 




{(l)c, (a;)c.(a;-l- l)d, 

(2)d,(y)d.(y + l)e} 



{(2)c,(a;)c.(a;-l- l)d, 

(2)d,(j/)d.(j/+ l)e} 



1 

{(2)d,(2)d,(y)d.(j/+l)e} 



1 



I 

{(3)d,(2)d,(j/)d.(y + l)e} 



1 

{(2)d,(3)e> 



1 

Y 



{(2)d,(4)e> 



1 1 
The modulated observation Markov process K(Q) = (S{Q),0{Q)) is 



{(Rand -|- 1), (x)c-{x 




{(l)c, (a;)c.(a;-l- l)d, 
(2)d,(y)d.(j/ + l)e} 

{(2)d,(2)d,(2/)d.(j/+l)e} 

l:<d,2> 

{(2)d,(3)e| 

V 



l)d,(2)d,(j/)d.(j/+l)e} 




{(2)c,(a;)c.(a;-l- l)d, 

(2)d,(j/)d.(j/-f l)e} 
l:(c,2> 

V 

{(3)d,(2)d,(j/)d.(y + l)e} 

l:{d,3) 

{(2)d,(4)e} 



1:t 



1:t 
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Hence, the probability of observing an output in the trace T is as presented in 
the following table: 



(c,l) 


(c,2) 


(d,2) 


(d,3) 


T 


0 


1 


1 


1 


1 


1 


0 


2 


2 


2 


2 



where o is any output in Ob \ {(c, 1), (c, 2), (d, 2), {d, 3), r}. 

2) Now, suppose that the scheduler gives more priority to reducing the rightmost 
processes than to reducing the leftmost ones. Once again we assume that the 
multiset is ordered. In that case S{Q) (together with K{Q)) is as follows: 



{(Rand + 1), {x)c-{x + l)d, (2)d, {y)d-{y + l)e} 




{(l)c,(a:)c.(2: + l)d, 
(2)d,(j/)d.(j/+ l)e} 

l:(d,2> 

Y 

{(l)c, {x)c-{x + l)d, (3)e> 

l:(c,l> 

{(2)d,(3)e> 




{(2)c,(a;)c.(x + l)d, 
(2)d,(y)d.(y + l)e} 

l:(d,2> 

{(2),,(®),.(a; + l)d,(3)e} 

l:(c,2> 

{(3)d,(3)e} 



l:r 



1 :r 



Note that even if reduction is from the right to the left, evaluating Rand has 
priority over any other reduction. The probability of observing an output in the 
trace T is: 



(c,l) 


(c,2) 


(d,2) 


r 


0 


1 

2 


1 

2 


1 


1 


0 



where o is any output in Ob \ |(c, 1), (c, 2), (d, 2), r}. 

3) Finally, suppose that the scheduler chooses uniformly which processes to 
reduce. In that case S{Q) (together with K{Q)) is of the following form: 
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{(2),,(4)J {(3)., (3)4 {(3).,(3)e} 




{(3)d, (2)d, {y)d.{y + 1)4 {(2)„ {x)c.{x + l)d. (3)e| 




{(Rand + 1), {x)c-{x + l)d, (2)d, iy)d.{y + l)e} 
Y 



{(l)c, {x)c.{x + l)d, (2)d, (y)d-{y + l)e} 




{(2)d, (2}d, {y)d.{y + 1)4 {(l)c, {x)c{x + l)d, (3)e) 




{(2)d,(3)e| 



1 :r 

The probability of observing an output in the trace T is: 



(c4) 


(c,2) 


(d,2) 


(d,3) 


T 


0 


1 


1 


7 


1 


1 


0 


2 


2 


8 


8 



where o is any output in Ob \ |(c, 1), (c, 2), {d, 2), {d, 3), r}. 

From now on, we assume fixed once and for all a scheduler S. Thus, all 
random quantities mentioned in the sequel are bound to S. 

2.4 Observational Equivalence 

Let us now discuss the asymptotic formulation of observational equivalence for 
our process calculus introduced in [16,23], which draws on two sources. One 
source is programming language theory with its standard notion of observa- 
tional equivalence of two programs P and Q, which intuitively means that in 
any environment, P has the same observable behavior as Q does in that same 
environment. 

Another source of our asymptotic formulation is the notion of computational 
indistinguishability by polynomial-time statistical tests, standard in cryptogra- 
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phy [13,30]. Intuitively, two probability distributions are computationally in- 
distinguishable if it is not feasible to distinguish them. Stated somewhat more 
formally, this means that the two distributions cannot be distinguished, up to 
a negligible function of a security parameter, by probabilistic polynomial-time 
tests. 

In order to present the asymptotic formulation of observational equivalence 
in detail in the setting of our calculus, we use the following definition of a context, 
intended to formalize an intuitive idea of a program environment: 

Definition 8 . The set of contexts Ctx is defined inductively as follows: [ ] G 
Ctx; Vc-C[ ] G Ctx provided that C[ ] G Ctx; (x)c-C[ ] G Ctx provided that 
C[ ] G Ctx; [ti = t2]-C[ ] G Ctx provided that C[ ] G Ctx; C[ jjQ G Ctx 
provided that C[ ] G Ctx and Q G £; Q\C[ ] G Ctx provided that C[ ] G Ctx 
and Q G C; and \gC[ ] G Ctx provided that C[ ] G Ctx and g G q. 

Given a context C[ ] and a process expression Q, the notation C\Q] means 
that we substitute the process Q for the [ ] in C[]. We recall that for each fixed 
value k of the security parameter, the process C[Q])k is obtained from C[Q] by 
replacing each subexpression \qR by q{\k\) copies of R in parallel. 

Let us also recall that to establish the trace process T we rely on a proba- 
bilistic polynomial-time scheduler S and the associated observation process K. 
Hence, any trace process T is parameterized by a probabilistic polynomial-time 
scheduler S. 

Definition 9 . Let Qi and Q2 be closed process expressions. We say that Qi 
and Q2 are observationally equivalent or computationally indistinguishable iff for 
every scheduler S, every context C[ ], every polynomial g(), every observation 
(m, m) and n sufficiently large 

|P(T(C[^)„) = {u, m)) - P(T(C[^)„) = {u, m))| < l/q{n). 

In this case we write Qi ~ Q2- 

Therefore two closed process expressions are computationally indistinguish- 
able iff they are indistinguishable by contexts, that is, there is no context that can 
distinguish, up to a negligible function of the security parameter, the observable 
behavior of the given process expressions in that context. Intuitively, this defini- 
tion merges with the standard definition of computational indistinguishability, 
since process expressions can be modeled by probabilistic polynomial-time Tur- 
ing machines [23] and the contexts C[ ] induce the required distinguishing prob- 
abilistic polynomial-time tests. However, one benefit of our process language- 
based approach is the following proposition: 

Proposition 1 . Computational indistinguishability is a congruence relation 
with respect to the primitives of C. 

Proof. Both symmetry and reflexivity are trivial to check. Transitivity follows 
by triangular inequality, and taking into account that |(?(n) is a polynomial. 
Finally, congruence on the operators follows by noticing that for any contexts 
C[ ] and C'[ ], C'[C[ ]] is also a context. □ 
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3 Emulation and Composition Theorem 

One rather flexible and expressive way of formulating the requirement that a 
given protocol satisfy some security property or fulfills a cryptographic objec- 
tive or task is by relating the given protocol to an ideal protocol that clearly 
satisfies the property or fulfills the task. This idea appears in various forms 
already in [15,6,5,20]. In our approach [22,23,17], motivated by [28,29,1], we for- 
mulate the relationship between the given and the ideal protocol by means of 
observational equivalence. It is also very useful, especially for security properties 
that allow protocol participants to behave in an adversarial way toward each 
other, to structure the notion of an ideal protocol so that the generic descrip- 
tion of the security property or the cryptographic task itself is separated from 
the description of the intended adversarial behavior of the participants or even 
external adversaries. This may be presented by means of the so-called emulation 
relation [7]. Let us discuss how this method may be expressed in our process 
calculus framework. 

Let / be a generic, ideal representation some cryptographic objective or task. 
One can think of / as a generic process that accomplishes the objective. Such 
a process / is sometimes called a functionality. The adversarial behavior, or 
the threat model, may be expressed as the kind of environment B or an ideal 
adversary, in the presence of which / is intended to be executed. In our setting 
the description of the environment is given by means of families of contexts. 

A similar distinction may be made between actual protocols, written as pro- 
cess expressions Q, and their intended adversaries A which are defined as certain 
families of contexts. We say that a protocol Q securely realizes the functionality 
I, or that Q emulates I, if for any real adversary, say represented by a context 
A[ ] G A, the trace process of A[Q] is observationally equivalent to the trace 
process of B[I] for some ideal adversary, represented by a context B[] G B, 
where an ideal adversary is an adversary which cannot corrupt I. This property 
asserts that given a real adversary A[ ] we cannot computationally distinguish 
the public outputs of A[Q] from the public outputs of the well-behaved process 
B[I] for some B[] ^ B. Therefore, we infer that A[Q] is also well-behaved. Re- 
call that we use outputs to model what information participants possess, so if 
A is able to obtain some data efficiently from Q that A should have not, then 
A can issue an output with such information. In this case, we would not And 
any ideal adversary B which is able to gather from / similar information (by 
choosing correctly the set ,Bof ideal adversaries), and hence, the trace process 
of A\Q] is not going to be observationally equivalent from B\I] for any possible 
ideal adversary B[] £ B. 

This discussion leads to the concept of emulation with respect to a set of real 
adversaries A and ideal adversaries B. 

Definition 10. Let Q and I be closed process expressions and A and B sets 
of contexts, then Q emulates I with respect to A and B iff for all contexts 
A[] £ A there exists a context B[] £ B such that A[Q] ~ B[I]. In such case 
we write Q =a,B I and say that Q is an emulation of I, or that Q is a secure 
implementation of I with respect to A and B. 
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A desirable property of the emulation relation is a compositionality property, 
informally discussed in the setting for secure computation already in [20] and 
more recently in [7]. Intuitively, if Q is a secure implementation of I, if R and 
J are two protocols that use the ideal protocol I as a component, and if i? is a 
secure implementation of J, then Rq should be a secure implementation of J. 
This property may be formally captured in our process calculus as follows: 

Theorem 1. Let Q, I be closed process expressions, let J[ ] and R[ ] be contexts, 
and let A,B,C andVhe sets of contexts. If i?[_B[/]] =c,d J[i?[/]] for any B[ ] 
and Q =a,b I, A[] & A there exists B[] & B such that i?[A[(5]] =c,v <^[5[/]]. 

Proof. Let A[ ] € A and B[ ] G be such that A[Q] ~ B[I\. Now choose 
some C[] G C. Clearly C[i?[A[(5]]] ~ C[i?[i?[/]]] since ~ is a congruence relation. 
Moreover, since R[B[I]] =c,v >^[^[-^]]; there is a I?[ ] GV such that C[i?[i?[/]]] ~ 
I?[J[i3[/]]]. Finally, by transitivity of we have that C'[i?[A[(5]]] ~ D[J[i3[/]]] 
and hence i?[A[Q]] =c,v <^[.B[/]]. □ 

Ideal protocols often consist of a generic, honest part / and an ideal adversary 
B, and are therefore of the form B[I], This justifies why we consider i?[i?[/]] in 
the proposition above instead of R[I]. Moreover, adversaries for R and J might 
be different from those of Q and I. Therefore, we need to consider two pairs of 
sets of contexts, C, V and A, B. 

3.1 Example: Oblivious Transfer 

Oblivious transfer (OT) [27,12,14,9] is a two-party protocol where one agent is 
called the sender and the other the receiver. The sender’s input is a vector of k 
bits b = bi . . .bk and the receiver’s input is a number i, 1 < i < k. The purpose 
of the protocol is, intuitively, to transfer the i-th bit bi of the vector b to the 
receiver without revealing any other bit to the receiver and without revealing the 
address i to the sender. We will refer to these two informal security requirements 
as sender security and receiver security, respectively. 

Following the general paradigm just discussed at the beginning of this sec- 
tion, we would like to express either of these security requirements by means 
of observational equivalence to a certain ideal protocol, in this case, an ideal 
version of oblivious transfer. In an ideal setting there is a trusted and neutral 
third party, T = {x)y.{y)y/ .{xy)^// that expects the vector of k bits b from the 
sender and the value i from the receiver, and then sends bi to the receiver, where 
by convention bi = b/^ ii i > k. Informally, we can think of the sender and the 
receiver as each communicating with T on separate private channels, or even 
more simply, that the sender and the receiver are subsumed into T. In any case, 
the only information T reveals to anyone is Xy on channel v" . T has no other 
outputs. T (or a copy of T with the channels renamed) is the oblivious transfer 
functionality. 

What are the appropriate threats to consider? In the worst case the adversary 
may be adaptive [9], i.e., the adversary can corrupt any of the parties at any 
point in response to data received during the protocol execution. We do not 
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discuss this threat model here. Rather, we restrict ourselves to the simpler and 
somewhat weaker variant, the so-called non- adaptive or static adversaries [9], 
which can corrupt parties only once, at the beginning of the protocol execution. 
In this variant, it makes sense to consider several cases separately, depending on 
which party, the sender or the receiver, is honest and which is an adversary, and 
furthermore, the distinction between which is which does not change during the 
run of the protocol. We consider only one case, where the sender is honest and 
the receiver is an adversary, and in this case we are interested in sender security. 

What should the static adversary receiver be able to do in the presence of the 
ideal oblivious transfer, the functionality T? In our setting everyone is bounded 
by probabilistic polynomial time, so in any case the receiver’s output must be a 
probabilistic polynomial-time computable function, say /, of the receiver’s input, 
i, and of any reply that the receiver can get from T, that is, one bit of the vector 
b. This may not be the very t-th bit because the receiver could have sent another 
request, j, to T in order to gain more information. But T gives only one reply 
so the receiver cannot learn more than one bit from T. That is, the adversary 
receiver’s output must be of the form f{i,bg(^i-j), where / and g are probabilistic 
polynomial-time computable functions. We will assume that an ideal adversary 
receiver is basically a parallel composition of processes, with one private call to a 
subroutine (intended to be T). The following definition describes this in a formal 
way: 

Definition 11. An ideal receiver adversary is a context B[ ] such that B[T] is 
observationally equivalent to R[T], where i?[ ] is a context of the form 

• ■ ■ {^ra)um-{y) V\ - - ■ 

where the other input channel of T (channel v in the description above) does 
not occur and where the only output not corresponding to any input is public 
and it occurs in Q, and this output is of the form {t'{y,z))u, where t and t' are 
terms. We denote the set of all ideal receiver adversaries by I. 

Real adversaries that will attack a real sender have no restrictions whatsoever 
to the amount of information they might obtain from interacting with a real 
sender, other than that they must do that in probabilistic polynomial time, and 
that they cannot corrupt the sender. We shall assume that a real adversary is a 
process running in parallel with the sender, that is. 

Definition 12. A real receiver adversary is a context of the form [ ] | A We denote 
the set of all real receiver adversaries as TZ. 

We say that a protocol Qs\Qr is a sender secure oblivious transfer protocol, 
if the sender Qs running in parallel with any real adversary emulates the ideal 
setting, that is: 

Definition 13. A protocol Qs\Qr is a sender secure oblivious transfer protocol 
iff Qs =n,i T. 
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Note that the condition that the definition imposes only involves the real 
sender Qs, not the real receiver Qit- Furthermore, note that the correctness 
condition on the protocol may be expressed in a similar way, by requiring that 
Qs\Qr be observationally equivalent to R[T] for some honest ideal adversary 
receiver R[ ] that makes an honest request to T and outputs T’s reply, i.e., such 
that t{y) = y and t'{z,y) = Zy. 

The following result is an immediate corollary of Theorem 1. 

Proposition 2. The notion of sender secure is compositional. That is, let J[ ] 
and K[ ] be contexts and let C and T> be sets of contexts. If AT[i3[r]] =c,v T[B[T]] 
for any B[] G I and Qs =n,i T, then for any adversary A G TZ there exists 
B[]gI such that K[Qs\A] =c,v J[B[T]]. 

We now present a well-known oblivious transfer protocol. We consider the 
version presented in [9,14], which is an adaptation of the original protocol due 
to Rabin [27]. In order to establish this protocol, one needs to introduce some 
assumptions: a collection of trapdoor permutations f = {/„ : Dq, — >■ Da}a^i, 
where each fa is probabilistic polynomial-time in n but hard to invert; a trap- 
door generator G which is is probabilistic polynomial-time in n and generates a 
pair {a,t) with a G I; and a hard-core predicate B on /. Mind that for a pair 
(a,t) there is a function f~^{t, .), probabilistic polynomial-time in n, such that 
f~^{t, .) is the inverse of fa- Moreover, a hard-core predicate B : Da — >■ {0, 1} 
is a predicate computable in polynomial time (in its input) such that knowing 
fa{x) does not help to predict B{x), that is, it is hard to predict B from an image 
by fa- We ask the reader to see [13] for more details on these assumptions. 

Example 5 (Rabin OT protocol)- The protocol is composed of two parallel 
agents, the Sender and the Receiver- First, on /c-bit input b\ - . - bk, the Sender 
selects a trapdoor pair (a, t) using a term G and private channel v$ and then 
sends a to the Receiver- Upon reading an input i and receiving a, the Re- 
ceiver chooses uniformly and independently at random k elements ei , . . . of 
Da and then, sends the elements y\ - - - yu to the Sender with yi = fa(G), and 
Vj — when j yf i. (Thus the receiver knows fa^{yi) = Ci but cannot pre- 
dict B{fa^{yj)) for any j yf i.) When the Sender receives yi---yk it sends 
back the tuple {bj © S(/“^(t, J/j)))je{i,...,fc}> where © denotes the usual bit ad- 
dition operation. (Recall that f~^{t,yj) = fa^iyj) for every j G {!,..., A:}.) 
The Receiver upon receiving the tuple picks the i-th element Cj and gets bi via 
Ci © B{ei) = {bi © {B{fa^{fa{ei)))) © B{ei) = hi- The protocol can be written 
in the process calculus as follows: 

S (^1 : - - - : bQ - Rvs ( 

{G).s\ 

{a, t)yg - ( 

(Cn)y2 I 

(m,---,yk)v3(bi © B{f-^{t,yi)),...,bk © 

B{f~^{t,yk)))v4. 

) 

); 
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R — .(ck)^2 



(!fc(Rand(£)„)) 

(ei) VR • • ■ (efc) VR- ( 

(^1; • ■ • ; 1; ^i+1 1 • • ■ i ^k) V 3 | 

(ci , . . . , Cfi;')v4 • {^i © 

)• 



Proposition 3. The Rabin OT protocol is not sender secure. 

Proof. The honest receiver in the protocol is too generous: an adversary receiver 
can easily do for each j ^ i what the honest receiver in the Rabin protocol 
does only for i, and thus get from the sender all the bj’s. That is, consider the 
following real receiver adversary: 

R[f\ — ■ (q:)d 2 • (-fc (R^hcI(T1q,) ) I 

(ei) VR • ■ • (efc) VR - ( 

(/(ei),---,/(efe))„3| 

(ci, . . . , Ck)v 4 - (ci © R(ei), . . . , Cfc © B{ek))u 

)■ 

It is easy to see that this receiver outputs all the bfs. Clearly this is a successful 
attack by the receiver, who learns the entire input string of the sender. Formally, 
the output containing all the bfs can be computationally distinguished from an 
output of an ideal receiver adversary, which is of the form f(i,bg{i)), where / 
and g are probabilistic polynomial-time functions. □ 

In Sect. 8 of the full paper [9] and in Sect. 7.4 of [14] it is shown how to 
compile this protocol into an oblivious transfer that is sender secure as well as 
receiver secure. A related compilation method is discussed in [8]. The details of 
the compiler itself can be expressed in our process calculus, but that falls beyond 
the scope of this paper. 

4 Related Work 

We briefly compare our approach with related work based on interactive Turing 
machines [7,9] and secure reactive systems [25,26,3,4]. 

The approach in [7,9] is formulated in terms of interactive Turing machines 
(ITM), which are basically the familiar Turing machines with several additional 
tapes: read-only random input tape, read-and-write switch tape (consisting of 
a single cell), and a pair of communication tapes, one read-only and the other 
write-only. Several ITMs can be linked through their communication tapes. The 
security parameter, usually written in unary, is a shared input among a collection 
of linked ITMs, but each ITM may have separate, additional inputs. It is assumed 
that the linked ITMs are polynomial-time in the security parameter. Details may 
be found in [7,13]. 

The framework proposed in [7] involves a relationship between a real model 
representing protocol execution of actual protocols and an ideal model repre- 
senting a generic version of a cryptographic task. A protocol in the real model 
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securely realizes the task if it emulates an ideal process for the task. Either model 
consists of a finite set of ITMs representing the parties in the protocol, another 
ITM representing the protocol adversary, and yet another ITM representing the 
computational environment, including other protocol executions and their ad- 
versaries, other users, etc. The environment has external input known only to 
itself. The environment provides the inputs to other parties and it reads their 
outputs. The basic idea is that from the environment’s point of view, execut- 
ing the protocol in the real model should look the same as the ideal process. In 
somewhat more detail, a real protocol P securely realizes an ideal process I if for 
any real adversary A there is an ideal adversary S such that no environment can 
tell with non-negligible probability whether it is interacting with P and A in the 
real model or with I and S in the ideal model. A general composition theorem 
is proved in [7] and a wide variety of protocols have been studied in this frame- 
work in [7,9] and in several other papers. A related framework based on secure 
reactive systems, in which ITMs are seen from the perspective of input/output 
automata [18] is studied in [25,26,3,4]. 

In comparison, keeping in mind that our language of functional terms is rich 
enough to reflect probabilistic polynomial-time computable functions (and only 
those functions), functions computed by single ITMs may be represented in the 
framework discussed in this paper by simple process expressions, with channels 
representing communication tapes. Keeping in mind that our language of func- 
tional terms is rich enough to reflect probabilistic polynomial-time computable 
functions. Finite sets of ITMs may be represented by a parallel composition 
of processes, or more generally, by contexts that involve parallel composition. 
Adversaries and the environment are represented by contexts. In this paper we 
presented this in more detail in the example of oblivious transfer in the case of 
non-adaptive adversaries. We have investigated several other protocols in this 
light and we believe there is a general correspondence between our framework 
and the frameworks based on ITMs. In this regard it is useful to remember that 
any process expression in our calculus is provably executable in probabilistic 
polynomial-time [23]. An interesting technical point is that we consider exter- 
nal probabilistic polynomial-time schedulers of input/output communications on 
channels while in [7] the scheduling of communications is done by the adversary. 
It is possible, however, to force the scheduling by structuring the contexts ap- 
propriately, in particular the contexts playing the role of the adversary. This 
feature is already present in the specific example in the previous section. 

5 Conclusions 

We have expressed security requirements for cryptographic protocols in the 
framework of a probabilistic polynomial-time process calculus. We have also 
proved an abstract composition theorem for security properties. These results 
provide a framework for a compositional analysis of security protocols. We 
showed how to express an oblivious transfer protocol and its security require- 
ments in the process calculus. Finally, we have discussed a relationship between 
our process calculus and the interactive Turing machine approaches in [7,25]. 
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There are several advantages of using a process calculus instead of interactive 
Turing machines. Namely, the process calculus is a much more natural and clear 
language for specifying protocols than the low-level vocabulary of interactive 
Turing machines. Indeed, the precise, formal process calculus expressions remind 
one of high-level programming language code and are often actually shorter than 
even the informal descriptions of the protocol in English, let alone the low-level 
details of Turing machines. Another advantage lies in the fact that compositional 
issues are dealt with in an intrinsic, built-in way using process calculus. Indeed, 
in order to show the composition theorem, it is enough to prove a congruence 
property for the emulation relation. The candidate for the congruence relation is 
obvious: if A emulates B then C\A\ emulates C\B] for any context C. Moreover, 
we note that probabilistic polynomial-time process calculus provides an adequate 
setting for the concepts related to computational security, since both the parties 
and the adversaries expressed in the process calculus are provably bounded by 
probabilistic polynomial-time algorithms. Indeed, the work presented here may 
be seen as a contribution to the more general effort of giving rigorous definitions 
of security properties independent or particular protocols. 
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Abstract. The cryptographic concept of simulatability has become a salient tech- 
nique for faithfully analyzing and proving security properties of arbitrary crypto- 
graphic protocols. We investigate the relationship between simulatability in syn- 
chronous and asynchronous frameworks by means of the formal models of Pfitz- 
mann et. ah, which are seminal in using this concept in order to bridge the gap 
between the formal-methods and the cryptographic community. We show that the 
synchronous model can be seen as a special case of the asynchronous one with re- 
spect to simulatability, i.e., we present an embedding between both models that we 
show to preserve simulatability. We show that this result allows for carrying over 
lemmas and theorems that rely on simulatability from the asynchronous model to 
its synchronous counterpart without any additional work. Hence future work can 
concentrate on the more general asynchronous case, without having to neglect the 
analysis of synchronous protocols. 



1 Introduction 

In recent times, the analysis of cryptographic protocols has been getting more and more 
attention, and the demand for general frameworks for representing cryptographic pro- 
tocols and the security requirements of cryptographic tasks has been rising. Existing 
framework are either motivated by the complexity-theoretic view on cryptography, which 
aims at proving cryptographic protocols with respect to the cryptographic semantics, or 
they are motivated by the view of the formal-methods community, which aims at captur- 
ing abstractions of cryptography in order to make such protocols accessible for formal 
verification. Frameworks built on abstractions will be further dealt with in the related 
literature along with a discussion on the cryptographic justification of these abstractions. 

For living up to the probabilistic nature of cryptography, a framework for dealing with 
actual cryptography necessarily has to be able to deal with probabilistic behaviors. The 
standard understanding in well-known, non security-specific probabilistic frameworks 
like [31,33] is fhat the order of events is fixed by means of a probabilistic scheduler that 
has full information about the system. In contrast to that, the standard understanding 
in cryptology (closest to a rigorous definition in [10]) is that the adversary schedules 
everything, but only with realistic information. This corresponds to making a certain 
subclass of schedulers explicit for the model from [31]. However, if one splits a machine 

* The full version is available from http : //eprint . iacr . org/2003/114. 
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into local submachines, or defines intermediate systems for the purposes of proof only, 
this may introduce many schedules that do not correspond to a schedule of the original 
system and therefore just complicate the proofs. The typical solution is a distributed 
definition of scheduling which allows machines that have been scheduled to schedule 
certain (statically fixed) other machines themselves. 

Based on these requirements, several general definitions of secure protocols were 
developed over the years, e.g. [15,7,28,11,30,12], which are all potential candidates 
for such a framework. To allow for a faithful analysis of cryptographic protocols, it is 
well-known that such models not only have to capture probabilistic behaviors, but also 
complexity-theoretically bounded adversaries as well as a reactive environment of the 
protocol, i.e., continuous interaction with the users and the adversary. Unfortunately, 
most of the above work does not live up to these requirements in spite of its generality, 
mainly since it concentrates on the task of secure function evaluation, which does not 
capture a reactive environment. Currently, the models of Pfitzmann et. al. [28,30] and 
Canetti [12], which have been developed concurrently but independently, stand out as 
the standard models for sound protocol analysis and design. 

Regarding the underlying definition of time, such models can be split into syn- 
chronous and asynchronous ones. In synchronous models [28], time is assumed to be 
expressible in rounds, whereas asynchronous scenarios [30,12] do not impose any as- 
sumption on time. This makes asynchronous scenarios attractive since no assumption is 
made about network delays and the relative execution speed of the parties. Moreover, 
the notion of rounds is difficult to justify in practice as it seems to be very difficult to 
establish them for the Internet for example. This attractiveness is substantiated by a large 
body of literature on asynchronous cryptographic protocols, e.g., [8,14]. However, time 
guarantees are sometimes explicitly desired, e.g., on when a process can abort. Hence 
assumptions have to be made in this case, which induce a certain amount of synchrony 
again. This sometimes makes a synchronous assumption of time nevertheless necessary 
in practice, e.g., in Kerberos [23]. 

Hence researchers usually restrict their attention to one definition of time, or they are 
driving double-tracked by maintaining two separate models. However, this presupposes 
proving every theorem for both models. This is not nice. An alternative approach, taken 
in this work, is to show that the synchronous model can be regarded as a special case of 
an asynchronous one, and hence does not have to be considered separately, but still can 
be used to conveniently express synchronous protocols. 

Although this idea might not be surprising, it is very difficult to achieve since it 
turns out that carrying over results from the asynchronous to the synchronous model 
presupposes the ability of (at least partially) reversing the considered embedding. Recall 
that suitable frameworks, especially the frameworks of Canetti and Pfitzmann et. al., 
have a distributed scheduling which significantly complicates this reversion. 

Formally, a special case means that there is an embedding into the asynchronous 
model that preserves a desired property. Which property has to be preserved depends on 
the goals to strive for. For cryptographic protocols, the property of simulatability stands 
out. Simulatability captures the notion of a cryptographically secure implementation and 
serves as a link to the formal-methods community, which typically only hold a top-level 
view of cryptography, where cryptographic primitives are replaced by deterministic 
abstractions. A more comprehensive discussion of simulatability and its relationship 
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to protocol verification work done by the formal-methods community is given in the 
paragraph on related literature below. 

In the following, we investigate the synchronous and asynchronous models of Pfitz- 
mann et. al. [28,30], which are seminal in using the concept of simulatability to bridge 
the gap between the formal-methods and the cryptographic community. We show that the 
synchronous model can be embedded in the asynchronous model such that simulatability 
is preserved by this embedding, i.e., if two systems fulfill the simulatability relation in 
the synchronous model, their respective images fulfill the relation in the asynchronous 
model and vice versa. We show that this result allows for carrying over lemmas and 
theorems from the asynchronous case to the synchronous case without proving them 
twice. We are confident that this result helps to make future protocol analysis in these 
models more convenient and more efficient. 

Moreover, we believe that our approach for establishing the embedding and its prop- 
erties can be successfully used for other models with only minor changes. Especially the 
asynchronous model of Canetti is surely worth to be investigated. However, his corre- 
sponding synchronous model [11] is still specific for secure function evaluation; hence 
adopting it to a reactive environment is a necessary prerequisite for this future work. 
The lack of such a reactive synchronous model was - besides the fact that the models of 
Pfitzmann et. al. are more rigorously defined than the one of Canetti - our main reason 
why we decided to base our work on the model of Pfitzmann et. al. 

Related Literature. If cryptographic protocols should be verified using formal methods, 
some kind of abstraction is needed as the underlying reduction proofs of cryptography 
are still out of scope of current verification techniques. This abstraction is usually based 
on the so-called Dolev-Yao model [13], which considers cryptographic primitives as 
operators in a free algebra where only predefined cancellation rules hold. This abstraction 
simplifies proofs of larger protocols considerably, and it gave rise to a large body of 
literature on analyzing the security of protocols using techniques for formal verification 
of computer programs (a very partial list of work includes [22,9,20,26,1]). 

Since this line of work turned out to be very successful, the interesting question 
arose whether these abstractions are indeed justified from the view of cryptography, i.e., 
whether properties proved for the abstractions are still valid for the cryptographic imple- 
mentation. Abadi et. al. showed in [3,2] that the Dolev-Yao model is cryptographically 
faithful at least for symmetric encryption and synchronous protocols. There, however, 
the adversary is restricted to passive eavesdropping. Consequently, it was not necessary 
to choose a reactive model of a system and its honest users, and the notion of simulata- 
bility could be replaced by the weaker notion of indistinguishability [34]. Guttman et. 
al. showed in [17] that the probability of two executions of the same protocol - either 
executed in a Dolev-Yao-like framework or using real cryptographic primitives - may 
deviate from each other at most for a certain bound. However, their results are specific for 
the Wegman-Carter system so far. Moreover, as this system is information-theoretically 
secure, its security proof is much easier to handle than primitives with security guaran- 
tees only against computationally bounded adversaries since no reduction proofs against 
underlying number-theoretic assumptions have to be made. Some further approaches for 
special security goals or primitives are [32,19]. However, there is evidence that the orig- 
inal Dolev-Yao model is not justified in the presence of active attacks, even if provably 
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secure cryptographic primitives are used, cf. [27] for an (admittedly constructed) coun- 
terexample. This exemplifies the demand for “better” abstractions which the models of 
Canetti and of Pfitzmann et. al. want to establish using the concept of simulatability. 

Simulatability bridges this gap by serving as a cryptographically sufficient relation- 
ship between abstract specifications and cryptographic implementations, i.e., abstrac- 
tions which can be shown to simulate a given implementation in a particular sense are 
known to be sound with respect to the security definitions of cryptography. Simulata- 
bility was first invented for multi-party function evaluation [15,7,1 1], i.e., systems with 
only one initial input set and only one output set. An extension to a reactive scenario, 
where participants can make new inputs many times, e.g., start new sessions like key 
exchanges, was first fully defined in [27], with extensions to asynchronous systems in 
[30,12]. Each of the three considered models has already been successfully used to built 
up sound abstractions of various cryptographic primitives and all of them enjoy a com- 
position theorem, i.e., large protocols can be refined sfep-wise wifhouf destroying the 
already proven properties. 

Comparing the models of Canetti and Pfitzmann et. al., we can state that Canetti’s 
work enjoys a more general composition theorem and has moreover addressed more 
cryptographic primitives so far. On the other hand, the models of Pfitzmann et. al. are 
more rigorously defined and early examples of tool-supported proofs in their models 
exist [5,4], using PVS [25]. Moreover, the recently published universally composable 
cryptographic library [6] may pave the way to formal verification of large security 
protocols within their models. 

2 Review of the Reactive Models in Synchronous and 
Asynchronous Networks 

In this section we review the synchronous and the asynchronous model for probabilistic 
reactive systems as introduced in [28] and [30], respectively. Several definitions are only 
sketched, whereas those that are essential for understanding our upcoming results are 
given in full detail. 

2.1 General System Model 

In the following we consider a finite alphabet S and some special symbols !, ^ 27 

that will be used to express different ports of machines. For s G 27* and I G Ng, we 
define s[; to be the f -letter prefix of s. 

Our machine model is probabilistic state-transition machines, similar to probabilistic 
I/O automata as sketched by Lynch [21]. Communication between different machines 
is done via ports which are divided into input and output ports. Inspired by the CSP- 
Notation [18] we write input and output ports as q? and q!. Let q!*^ := q? and vice versa; 
for a set P of input and output ports, let := {q | q*^ G P}. 

Ports will later be connected by naming convention, i.e., a port q! always sends 
messages to q?. In the asynchronous model, a special machine called a buffer will 
further be inserted in each connection to ensure asynchronous behavior. A buffer stores 
all of its inputs in an internal list. If a machine wants to schedule the f-th message of 
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Fig. 1. Ports and buffers 



buffer q (this machine must have the unique clock-out port q^!), it simply sends i at q^!, 
cf. Fig. 1 . The buffer then outputs the i-th message and removes it from its internal list. 
Neither buffers nor clock ports occur in the synchronous model; they are just included 
to establish a distributed scheduling in the asynchronous case. 

A machine M has a name name m , a sequence Ports m of ports, containing both input 
ports and output ports, and a set StatesM of states, comprising sets IniM and FiuM of 
initial and final states, respectively. If a machine is switched, it receives an input tuple 
at its input ports and performs its transition function yielding a new state and an 
output tuple in the deterministic case, or a finite distribution over the set of states and 
possible outputs in the probabilistic case. Furthermore, each machine has a bound (m 
on the length of the considered inputs which allows time bounds on the computation 
time independent of the environment. The parts of an input that are beyond the length 
bound are ignored, i.e., incoming strings are only processed up to a predefined length. 
In particular, this is used to ensure polynomial runtime of individual machines. 

ForasetM ofmachines, let ports(M) denote the set ofports of allmachines M G M. 
Machines usually start with one initial input, i.e., the starting state is parameterized. 
Complexity is measured in terms of the length of this initial input, usually a security 
parameter k given in unary representation; in particular, polynomial-time is meant in 
this sense. We only briefly state here, that these machines have a natural realization as 
a probabilistic interactive Turing machine as introduced in [16]. We call a machine M 
a black-box submachine of a machine M' if the machine M' has access to the state- 
transition function of M, i.e., it can execute for the current state of the machine 
and arbitrary inputs. 

A collection C of machines is a finite set of machines with pairwise different machine 
names and disjoint sets of ports. In the asynchronous model, the completion [C] of a 
collection C is the union of all machines of C and the buffers needed for every channel. 
A port of a collection is called /ree if its connecting port is not in the collection. These 
port will be connected to the users and the adversary. The free ports of a collection C 
are denoted as free(C). In the asynchronous model, a collection C is called closed if 
its completion [C] has no free ports except a special master clock-in port clk^?, i.e., 
free([C]) = {clk^?}. When we define the interaction of several machines, this port will 
be used to resolve situations where the interaction cannot proceed. In the synchronous 
case, we demand free(C) = 0 instead. 

For security purposes, special collections are needed, because an adversary may 
have taken over parts of the initially intended system, e.g., different situations have to be 
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captured depending on which and how many users are considered as being malicious. 
Therefore, a system consists of several possible remaining structures. 

Definition 1. (Structures and Systems) A structure is a pair struc = (M , S) where M 
is a collection of non-buffer machines called correct machines, and S C free(M) is 
called specified ports. If M is clear from the context, let S := free(M) \ S. We call 
forb(M, S) := ports(M) U the forbidden ports, i.e., those ports that the honest user 
is forbidden to have. A system Sys is a set of structures. It is polynomial-time iff all 
machines in all its collections M are polynomial-time. O 

The separation of the free ports into specified ports and others is an important feature 
of the upcoming security definition. The specified ports are those where a certain ser- 
vice is guaranteed. Note that this definition is valid for both the synchronous and the 
asynchronous case. In particular, buffers do not have to be explicitly included in the 
specification of a system, e.g., in the specification of a cryptographic protocol that one 
wants to analyze. The different timing assumption stem from the different definitions of 
runs which we will introduce below. 

A structure can be completed to a configuration by adding machines H and A, mod- 
eling the joint honest users and the adversary, respectively. The machine H is restricted 
to the specified ports S, A connects to the remaining free ports of the structure and both 
machines can interact, e.g., in order to model active attacks. 

Definition 2. ( Configurations) A configuvsLtion of a system Sys is a tuple conf = (M , S, 
H,A) where (M , S) G Sys is a structure, M U {H,A} is a closed collection, and 
ports(H) n forb(M, S) = 0. The set of configurations is written Conf (Sys). The set of 
configurations with polynomial-time user H and adversary A is called Conf po\y (Sys). 
The index poiy is omitted if it is clear from the context. The initial states of all machines 
in a configuration are a common security parameter k in unary representation. <> 

2.2 Captnring Asynchronous Runs 

For a configuration, both models define a probability space of runs (sometimes called 
traces or executions). In the asynchronous model, scheduling of machines is done se- 
quentially, so we have exactly one active machine M at any time. If this machine has 
clock-out ports, it is allowed to select the next message to be scheduled as explained at 
the beginning of Sect. 2.1. If this message exists, it is delivered by the buffer and the 
unique receiving machine is the next active machine. If M tries to schedule multiple 
messages, only one is taken, and if it schedules none or the message does not exist, the 
special master scheduler is scheduled. This is formally captured as follows. 

Definitions. (Asynchronous Runs andViews) For a given configuration conf = (M,S, 
H, A) with master scheduler X G M U {A}, set C := [M U {H, A}]. The probability 
space of runs is defined inductively by the following algorithm. It has a variable rfor the 
resulting run, an initially empty list, a variable Mcs ( “current scheduler” ) over machine 
names, initially Mcs X, and treats each port as a variable over S* , initialized with 
e except for clk^? := 1. Probabilistic choices only occur in Phase (1). 

1. Switch current scheduler: Switch machine Mcs, set (s' , O) ^ i5mcs(s, I) for its 

current state s and input port values I. Then assign e to all input ports of Mcs- 
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2. Termination: is in a final state, the run stops. 

3. Buffer messages: For each simple output port q! o/Mcs in the given order, switch 
buffer q with input q^? := q!, cf. Fig. 1. Then assign e to all these ports q! and 
q^?. 

4. Clean up scheduling: If at least one clock-out port o/Mcs has a value e, let of \ 
denote the first such port and assign e to the others. Otherwise let clk^? := 1 and 
Mcs := X and go back to Phase (1). 

5. Scheduled message: Switch q with input q^? := q^! (cf. Fig. 1), set q? := q^! and 
then assign e to all ports o/q and to q^!. Let M^s := M' for the unique machine M' 
with q? G ports(M'). Go back to Phase (1). 

Whenever a machine ( this may be a buffer) with name nameu is switched from (s, I) to 
(s', O), we add a step (namcM, s, s', O) with V := to the run r, except if s is 
final or I' = (e, . . . , e). For each value of the security parameter, this gives a random 
variable denoted as ruriconf,k< hence we obtain a family of random variables 

TUTiconf — {’kUTlconf ,k')kGN- 

The view of a subset M G C in a run r is the restriction ofr to M, i.e., the subsequence 
of all steps {nameu, s, I, s', O), where nameu is the name of a machine M S M. This 
gives a family of random variables 

vieWconf(M) = {vieWconf,k{M))kei>^. 

For a singleton M = {H} we write view conf{^) instead of view confii^})- ^ 

This rather informal definition of runs can naturally be formalized using transition prob- 
abilities, which induce probability spaces over the finite sequences of steps similar to 
Markov Chains. The extension to infinite sequences can then be achieved using well- 
established results of measure theory and probability theory, cf. Sect. 5 of [24]. It is 
further easy to show that views of polynomial-time machines are of polynomial size. 

2.3 Capturing Synchronous Runs 

In the synchronous model, ports, machines, collections, structures, and systems are 
defined similar to the asynchronous model. The only exception is that there are no clock 
ports and no buffers, which have only been included to model asynchronous timing, 
i.e., corresponding ports p? and p! are directly connected. The main difference is the 
definition of runs. Instead of our asynchronous run algorithm (cf. Definition 3), runs are 
defined using rounds which is the usual concept in synchronous scenarios. Every global 
round is again divided into n so-called subrounds, and there is a mapping k, called 
clocking scheme, from the set {!,... ,n} into the powerset of considered machines, 
i.e., the machines of the structure, the user, and the adversary. Here K{i) denotes the 
machines that switch in subround i. We call a clocking scheme valid if every machine 
is clocked at most once between two successive clockings of the adversary. 

Definition 4. (Synchronous Runs and Views) Given a configuration conf = {M,S, 
H , A) along with a clocking scheme nfor n G N, runs are defined as follows: Each global 




Unifying Simulatability Definitions in Cryptographic Systems 357 



round i has n subrounds. In subround [i.j] all machines M G n{j) switch simultaneously, 
i.e., each state-transition function 5m is applied to M ’s current input yielding a new state 
and output (probabilistically). The output at a port p! is available as input at p? until 
the machine with port p? is switched. If several inputs arrive until that time, they are 
concatenated. This gives a family of random variables 

TUTlconf — {’t'U’tlconf ,k')kGN- 

More precisely, each run is a function mapping each triple gMU{H,A}xNx 

,n} toa quadruple (s, s', O) of the old and new state, inputs (with /' := 

again), and outputs of machine M in subround [i.j], with I' = e, O = e, and s = s' 
ifM is not switched in this sub round. The view of M C M U {H, A} a run r is the 

restriction ofr fo M x N x {1, . . . , n}. This gives a family of random variables 

vieWconf{M) = (view conf ,k{M))km- 

O 

Again, the view of a polynomial-time machine can easily be shown to be of poly- 
nomial size. Alternatively, we can consider runs as a sequence of seven-tuples 
(M, i, j, s, s', O) for ascending values of i and j, where tuples with the same val- 
ues i and j can be ordered arbitrarily since they switch simultaneously and do not 
influence each other. This characterization of runs is equivalent to the original one (we 
just expanded the function), but it is better suited for our upcoming proofs. 

Instead of arbitrary clocking schemes as in the above definition of runs, the authors 
of [28] focus on only one special clocking scheme k, given by (MU{H}, {A}, {H}, {A}). 
Clocking the adversary between the correct machines is the well-known model of “rush- 
ing adversaries”. In [28], it has been shown that this clocking scheme does not restrict 
the possibilities of the adversary. Since our upcoming results hold for all valid clocking 
schemes, they in particular hold for rushing adversaries. 

2.4 Simulatability 

The definition of one system securely implementing another one is based on the common 
concept of simulatability. Simulatability essentially means that whatever might happen 
to an honest user in a real system Sys i can also happen in an ideal system Sys 2 - For every 
structure struci G Sys^, every user H, and every adversary Ai, there exists an adversary 
A 2 on a corresponding ideal structure struc 2 such that the view of H is indistinguishable 
in the two configurations. Indistinguishability is a well-defined cryptographic notion 
from [34]. 

Definitions. (Computational Indistinguishability) Two families (varfej^g^ 

( varj. ) fcgN of random variables ( or probability distributions ) on common domains Dk are 
computationally indistinguishable (“«”) if for every algorithm Dis (the distinguisher) 
that is probabilistic polynomial-time in its first input, 

|P(Dis(l'',varfc) = 1) - P(Dis(l'=, var'^) = 1)| G NEGL.^ 

Intuitively, given the security parameter and an element chosen according to either var^ 
or varj., Dis tries to guess which distribution the element came from. O 
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struc^ E f(struc^) 

Fig. 2. Overview of the simulatability definition 



Corresponding structures in the simulatability definition are designated by a function / 
from Sysi to the powerset of Sys 2 - The function / is called valid if it maps structures 
with the same set of specified ports. 

Definition 6. (Simulatability) Let systems Sys^ and Sys 2 with a valid mapping f be 
given. We say Sysi Sys 2 if far every configuration confi = (Mi, 5, H, Ai) G 
Confpoiy(6't/Si), there exists a configuration conf 2 = (M 2 , S, H, A 2 ) G Confpoiy(5'ys2) 
with {M 2 , S) G /(Ml, S) such that vieWconf^{^) ~ ttzewtcon/s (H)- ^ 

This is shown in Fig. 2. In the following, we augment > with a subscript sync or async to 
distinguish the definition of the synchronous and asynchronous case. In a typical ideal 
system, each structure contains only one machine TH called trusted host, which serves 
as an ideal functionality of the real system. The machine TH is usually deterministic with 
a very simple transition function and hence in scope of current verification techniques. 

3 Idea and Definition of the Embedding 

The informal idea of the embedding psys is to add an explicit master scheduler that 
should simulate the synchronous run induced by the given clocking scheme. However, 
due to the general distributed scheduling (cf. Definition 3), leaving the actual machines 
unmodified leads to non-simulatable situations, as these machines can clock themselves 
without ever giving control to this explicit master scheduler. 

Hence, we first define a mapping i^m that surrounds single synchronous machines 
(i.e., machines that are designed for a synchronous environment) with an “asynchronous 
coat”. More precisely, if a synchronous machine Msync makes a transition, it obtains all 
inputs at once that arrived since its last scheduling, whereas in asynchronous scenarios, 
these inputs come one by one and have to be processed in several transitions. Thus, 
the surrounding asynchronous machine </3 m (M sync) stores all inputs internally, until it 
is asked to perform the transition of its synchronous submachine. This is modeled by a 
special port PMsy„c? of the machine (/?M(Msync)- An input at this port causes </9M(Msync) 
to schedule its submachine with the collected inputs and forward its outputs. As such 
embedded machines do not produce any clock outputs, the ports PMsy„c? can be used by 
the master scheduler to simulate the synchronous time by a suitable scheduling strategy. 

The formal definition of (/?m can be found in the full version. We only briefly state 
that (/9 m (M sync) is polynomial-time by construction iff Msync is polynomial-time. For a 
set M of synchronous machines, we further define (/9 m(M) := IJ^ </9M(Msync)- 
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The desired mapping ^psys on synchronous systems then simply embeds every 
machine and adds a specific master scheduler to each structure, i.e., for an arbitrary 
structure (Msy^c, 5sync) and clocking scheme k, we obtain a structure {(fiwi{Msync) U 
{Xsync.fc}, 5sync), where Xsync,K is an explicit master scheduler defined as follows. Be- 
sides the master clock-in port, it has clock-out ports for clocking inputs and outputs 
of the given structure, for clocking the connection between A and H , and finally ports 
PMsyncij PMsync^! foi clocklng, i.e., giving control to, each machine v?M(Msync)- Internally, 
it maintains a variable local. rnd over {!,... , n} and a variable global. md over N both 
initialized with 1. For the sake of readability, we describe the behavior of Xsync,K using 
“for”-loops. This is just a notational convention that should be understood as follows: 
every time Xsync.K is scheduled, it performs the next step of the loop. 

1. Schedule Current Machines: For all machines Mjync G K(local.rnd) output 
{global.rnd, local.rnd) at PMsy„c!, 1 at PMsy„c^!- The order of the switched machines 
can be chosen arbitrary. 

2. Schedule Outgoing Buffers: For all Msync G K{local.rnd) output 1 at every port 
p^! with p! G Ports Msync - The order of the switched machine can be chosen arbitrary 
except that output ports of the adversary are scheduled first if A G n{local .rnd) } 

3. Switch to next Round: Set local.rnd := local.rnd + 1. If local.rnd > n, set 
global.rnd := global.rnd + 1 and local.rnd := 1. Go to Phase (1). 

We finally define a mapping (pconf on synchronous configurations of a system Sys, i.e., 
configurations which consist of synchronous machines only, by 

Peon/ (Tfsync7 'Ssync 1 H 5 A) . — (pM(Tfsync) U {Xsync,n} j 'S'synci PM (H) j PM (A) ) , 

with Xsync.K given as in (psys for the particular structure. We will in the following simply 
write S instead of S'sync; we also write p instead of psys,PM, and pconf if its meaning 
is clear from the context. 

4 The Embedding Theorems 

We now have to prove that the function p has the desired properties with respect to 
simulatability, i.e., we have 

^ Sysi^y^ sync, l) — async PSysi^V^ sync, 2 ^sync SySsyncp, 

where we omitted the mappings, i.e., the superscript of both relations for the sake of 
readability. This captures the content of our first embedding theorem. Unfortunately, the 
converse direction does not hold, but our second embedding theorem will state a weaker 
version that is still sufficient for our purpose. 

We first take a look at the runs in a synchronous system Sys^^„^ and in its asyn- 
chronous counterpart p ( Sys sy„c ) • We define a mapping (f> on fhe runs of fhe asynchronous 
sysfem yielding runs of fhe synchronous system. Infuitively, <j) “compresses” an asyn- 
chronous run fo its synchronous counterpart, which consists of much less steps. 

^ Without this restriction, the behavior of the adversary could depend on outputs of machines 
scheduled in the same subround, which would lead to non-simulatable situations. 
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4.1 Relating Asynchronous Runs and Synchronous Runs 

In the following, let an arbitrary synchronous system Sys^y„^ with a clocking scheme 
K and an arbitrary configuration confsync = (-^sync, •S', Hsync, Asy^c) G Conf(5'ys5y„^) 
he given. Moreover, let conf^syuc = (V3(^sync) U {Xsync.«}, 5, (^(Hsy„c), A') G 
Conf((/?(S'?/S 5 yn^)) be given (i.e., (p{confsync) but with an arbitrary adversary). We call 
such a conhguration an embedded synchronous configuration with arbitrary adversary. 

Note that runs of confisync always have a prescribed structure induced by the 
behavior of the master scheduler Xsync.K: they are built by “blocks”. The steps 
(Msyrc,i,j,s,2,s',0) of the machines Msync G Msy^c U {Hsync} switched in round 
[i.j] in the synchronous run are represented by two blocks in the asynchronous run. The 
hrst block corresponds to Phase (1) in the dehnition of Xsync „ and hence consists of 
those steps induced by clocking the machines (/^(Msync) with Mjync G k(j) and A' if 
Async G k(j). More precisely, it consists of |k(j)| sub-blocks, one for each switched 
machine, where a sub-block for Msync comprises the step of the master scheduler, the 
step of the scheduled buffer, the step of the switched machine, and steps for the receiv- 
ing buffers.^ The second block corresponds to Phase (2) in the dehnition of Xsync.K and 
hence consists of the steps of the buffers connected to the output ports of the switched 
machines as well as steps of the machines receiving the scheduled message. 

Informally, the mapping (j> combines the blocks of all machines M sync G k ( j ) yielding 
the synchronous step of every machine Msync that switches in the j-th subround of the 
particular global round. Note that all necessary information (e.g., Msync, i, j, s, s' etc.) is 
already given by the blocks except for the gathered inputs I. The mapping overcomes 
this absence by collecting all “partial” inputs itself. It now also becomes clear why we 
defined the master scheduler to schedule each machine specifically with a tuple (*, j) 
indicating the current global and local round, since this information would otherwise 
not be contained in the asynchronous run. The precise definition of the mapping is 
omitted due to lack of space. We only state that is also well-defined on the view of 
arbitrary subsets of machines. The following lemma establishes a computational bound 
on the mapping (f> in polynomial- time configurations: 

Lemma 1. Let confssync be an embedded synchronous configuration with arbitrary 
adversary. If confssync is polynomial-time, then (j) applied to the view of the honest user 
and the adversary is computable in polynomial-time. □ 

We can moreover show that the mapping f compresses the view of any machine in 
an embedded synchronous configuration to the view of the original machine in the 
synchronous conhguration again. Formally, this is captured in the following theorem. 

Theorem 1. Let a synchronous system Sys^y„^, a clocking scheme k, and a configuration 
confsync = (^sync, 5, Hsync, Async) G Coof (Sys^y„^) be given, and set confisyuc ■= 
'^(con/sync). Then for every Msync G Msync U {Hsync, Async}, we have 

view confsy„c{^ sync.) = con/async ('F) ^sync) ) ) • 

Moreover, confssync is polynomial-time iff confsy„c is polynomial-time. □ 

^ For A', we might have additionally steps because of clocked self-loops. 
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The following theorem finally states that the runs obtained by applying the mapping (f> to 
an embedded synchronous configuration with arbitrary adversary are equal to the runs 
in the synchronous system for a suitable synchronous adversary. 

Theorem 2. Let a synchronous system Sys^^^, a valid clocking scheme k, and a con- 
figuration conf^sync = (<p(^sync) U {Xsync.K},5,(/?(Hsync),A') G Conf 

be given. Then there exists an adversary Async using A' as a blackbox such that for 
conf sync • — (.^sync ; 'S', Hgync, Agypc) and every Mgypc G ( Afgypc U { Hgypc} ), we have 

view confsy„c{^ sync) = fi{vieW conf^synciTi^sync))) 

Moreover, conf ^sync is polynomial-time iff confsync is polynomial-time. □ 

4.2 The Actual Embedding Theorems 

This section contains our two main theorems. We start with a well-known lemma cap- 
turing some basic properties of indistinguishable random variables. 

Lemma 2 (Indistinguishability). Indistinguishability of two families of random vari- 
ables implies indistinguishability of any function S of them if 5 is polynomial-time com- 
putable. Moreover, identically distributed variables are indistinguishable and indistin- 
guishability is an equivalence relation. □ 

Theorems. (First Embedding Theorem) Let two arbitrary synchronous systems 
Sys^ync 1 and Sys^^^,- 2 with clocking schemes ni and K 2 be given such that K 2 is valid, 
and let <(?(S'?/s,ync,i) >4ync v{Sys^y„^ 2 ) for a valid mapping f. Then 

^ySsync,! —sync ^ySsync,2'> 

where f is defined as {M 2 , S 2 ) G /'(Mi, ^i) <p{M 2 , S 2 ) G f{p{Mi, Si)). □ 

Proof. Let an arbitrary configuration confsy„c.i = (Mgync.i, S', Hgync, Agync.i) G 
Confpoiy(S?/S 5 ynca) be given. We first apply pconf on confiyuc.i yielding a con- 
figuration COTlfssync.l — {p{^sync,l) U {Xgypc.l.Ki } , S, (^(Hgync) , ^(Agync.l )) G 

Conf {(fi{Sys^y^^ 1 )). According to Theorem 1, confisync.i is also polynomial-time and 
we have 

view confsync, li^sync) ~ fi'rieW confssy„c,lip{^sync))) ■ (1) 

Thus, the precondition (/?(S?/s,y„^ i) >4ync ‘/?(S2/Ssync,2) can be applied yielding 
a configuration C07i/async,2 (v^(ii^sync,2) U {^sync, 2,/«2 S, ^(Hgypc) , Aa5yn(-,2) C 

Confpoiy((,(2(S?/S5yac^2)) with view confssync.iipi^sync)) ~ view confssync.iipi^sync)) and 

p{Msyrc, 2 , S) G f {(f{Msync,i , S)) . As both con/async.i and con/async .2 are polynomial- 
time, Lemma 1 and Lemma 2 together yield 



4>{vieW confssy„c,i{p{^sync))) ~ f{vicW confssync.iipi^sync))) ■ 



( 2 ) 
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We now apply Theorem 2 to the configuration con/async, 2 , which yields a configuration 
COTlfsync,2 — (-^sync) S ^ H sync? Async,2) G Confpoiy(5'?/s,yn,_2) with 

(/)(meW;con/asy„c,2(¥’(Hsync))) = V'isw confsy„c,2i^sync) ■ (3) 

Now Equation 1, 2, and 3 together with Lemma 2 hnally yield mew;co„/ay„,,i(Hsypc) « 
view confsy„c, 2 i^sync) ■ Moreover, we have (p{Msync,2, G f{‘f{Msync,i,S)), i.e., 

(Msync,2, S) G f{MsyncS,S) wWch hnally yields >4'nc ■S'j/Ssync.2- ■ 

So far, we have shown that asynchronous simulatability among the asynchronous rep- 
resentations implies synchronous simulatability, i.e., 

iPSys (‘5'2 /s sync, l) ^async VSysi,SyS sync, 2 ) ^ ‘52/Ssync,l ^sync Sys sync, 2 - 

We already briefly stated that the converse implication does not hold in general. We 
had to show that for each configuration con/async.i G Confpo\y{(psys{Sys^y„,- 1 )) there 
exists an indistinguishable configuration con/async ,2 G Confpoiy((/2sys('5ySsync,2)) P™‘ 
vided that Sys^^^^ >sync 2 - However, both the honest user and the adversary 

may have clock-out ports and they can alternately schedule each other (and also the 
system erratically), which cannot be captured by a fixed synchronous clocking scheme, 
so we cannot exploit our assumption Sys^y„^ i >sync Sys^y„,- 2 - 

Anyhow, it is sufficient for our purpose to show that the claim holds for at least those 
configurations where the honest user Hasync fits the form (/2M(Hsync) for a synchronous 
machine Hsyac. We denote this version of simulatability for the restricted class of users 
by >async,H in the sequel. It is immediately clear that the first embedding theorem also 
holds for the weaker precondition (psys{Sys^^„^ i) >async,H ‘fSys{Sys^y„^ 2)’ since we 
only have to derive an indistinguishable configuration for users of the special form 
i^(Hsync), and the user remains unchanged at simulatability. We can now present the 
second embedding theorem. 

Theorem 4. (Second Embedding Theorem) Let two arbitrary synchronous systems 
Sys^y„y- i and Sys^y„^ 2 wh/j clocking schemes k\ and K 2 be given such that k\ is valid, 
and let 5'2/Ssypc.i >lync ^ySsync, 2 fo>' a valid mapping f. Then 

ifiSys 

sync, l) >fsync,H ViSyS sync, 2) 

where f is defined as ip(M 2 , S 2 ) G f'(ip(Mi, Si)) :<J4> (M 2 ,S 2 ) G f(Mi,Si). □ 

5 Deriving Synchronous Theorems from Asynchronous Ones 

Recall that our long-term goal is to avoid proving theorems for both models. We now 
briefly show how our two embedding theorems can be used to circumvent this problem. 
One of the most important theorems of both models is transitivity of the relation >. 

Lemma 3. (Transitivity) If Sysi Sys 2 and Sys 2 Sys^, then Sys^ Sys^ 

with f^(Mi, S) being the union of the sets f 2 {M 2 , S) with (M 2 , S) G /i(Mi, S). □ 
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This has been proven in [28] for the synchronous and in [30] for the asynchronous model. 
We now exemplarily show how to derive the synchronous version from the asynchronous 
one using our previous results. 

Lemma 4. Assume that the asynchronous version of the transitivity lemma (Lemma 3) 
has already been proven, then the synchronous version holds as well. □ 

Proof. We omit the superscripts for the sake of readability. Let synchronous systems 
Sysi, Sys 2 , and Sys^ be given such that Sysi >sy„c Sys 2 and Sys 2 >sync Sys^. We 
have to show that Sysi >sync Sys^ holds, provided that asynchronous transitivity has 
already been proven. Our second embedding theorem implies (f{Sysf) >async,H ‘p{Sys 2 ) 
and ip{Sys 2 ) >async,H pi^ys^). Obviously, the asynchronous version of transitivity is 
applicable to the relation >async.H instead of >async as well, since it is a special case only, 
and the honest user remains unchanged at simulatability. Thus, we can apply our (already 
proven) asynchronous version of the transitivity lemma, which yields (p{Sysi) >async,H 
(fi{Sys^). Now, we use our first embedding theorem in conjunction with its subsequent 
remarks (stating that the theorem holds as well for the restricted version >async,H of 
simulatability) yielding Sysi >syrc Sys^. m 

This proof technique is applicable to almost all theorems that rely on simulatability. As 
the most important example, we name the preservation theorem [29,4], which states that 
integrity properties expressed in linear-time logic are preserved under simulatability. The 
proof of this theorem is difficult and comprises several pages for both models. Using 
our work, the synchronous proof could as well be omitted. 
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Abstract. A contract signing protocol lets two parties exchange digital signatures 
on a pre-agreed text. Optimistic contract signing protocols enable the signers to 
do so without invoking a trusted third party. However, an adjudicating third party 
remains available should one or both signers seek timely resolution. We analyze 
optimistic contract signing protocols using a game-theoretic approach and prove 
a fundamental impossibility result: in any fair, optimistic, timely protocol, an 
optimistic player yields an advantage to the opponent. The proof relies on a careful 
characterization of optimistic play that postpones communication to the third party. 
Since advantage cannot be completely eliminated from optimistic protocols, we 
argue that the strongest property attainable is the absence of provable advantage, 
i.e., abuse-freeness in the sense of Garay-Jakobsson-MacKenzie. 



1 Introduction 

A variety of contract signing protocols have been proposed in the literature, including 
gradual-release two-party protocols [5,7,12] and hxed-round protocols that rely on an 
adjudicating “trusted third party" [2,3,18,23,26]. In this paper, we focus on hxed-round 
protocols that use a trusted third party optimistically, meaning that when all goes well, 
the third party is not needed. The reason for designing optimistic protocols is that if 
a protocol is widely or frequently used by many pairs of signers, the third party may 
become a performance bottleneck. Depending on the context, seeking resolution through 
the third party may delay termination, incur hnancial costs, or raise privacy concerns. 
Obviously, the value of an optimistic protocol, as opposed to one that requires a third 
party signature on every transaction, lies in the frequency with which “optimistic” signers 
can complete the protocol without using the third party. 

Some useful properties of contract signing protocols ars fairness, which means that 
either both parties get a signed contract, or neither does, and timeliness, which generally 
means that each party has some recourse to avoid unbounded waiting. The reason for 
using a trusted third party in hxed-round protocols is a basic limitation [14,24] related 
to the well-known impossibility of distributed consensus in the presence of faults [17]: 
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Research and Education,” for Scedrov from NSF Grant CCR-0098096, and for Shmatikov from 
ONR under Grants N00014-02-1-0109 and N00014-01-1-0837. 
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no fixed-length two-party protocol can be fair. Although there is a trivial protocol with 
a trusted third party, in which both signers always send their signatures directly to it, 
protocols that are fair, timely, and usefully minimize demands on the third party have 
proven subtle to design and verify. 

This paper refines previous models, formalizes properties from the literature on fixed- 
round two-party contract signing protocols, and establishes relationships between them. 
We use the set-of-traces semantics for protocols, defining each instance of the protocol 
as the set of all possible execution traces arranged in a tree. Our chosen notation is 
multiset rewriting [10], but the results would hold for other formalisms with the same 
basic execution model. 

Model for Optimism. One modeling innovation is an untimed nondeterministic setting 
that provides a set-of-traces semantics for optimism. Intuitively, optimistic behavior in 
contract signing is easily described as a temporal concept: an optimistic signer is one 
who waits for some period of time before contacting the trusted third party. If Alice is 
optimistic, and Bob chooses to continue the protocol by responding, then Alice waits 
for Bob’s message rather than contact the third party. Since the value of an optimistic 
protocol lies in what it offers to an optimistic player, we evaluate protocols subject to 
the assumption that one of the players follows an optimistic strategy. As a direct way of 
mathematically characterizing optimistic play, we allow an optimistic player to give his 
opponent the chance to signal (out of band) whether to wait for a message. This gives 
us a relatively easy way to define the set of traces associated with an optimistic signer, 
while staying within the traditional nondeterministic, untimed setting. 

Impossibility Result. In evaluating protocol performance for optimistic players, we prove 
that in every fair, timely protocol, an optimistic player suffers a disadvantage against a 
strategic adversary. The importance of this result is that optimistic protocols are only 
useful to the extent that signers may complete the protocol optimistically without con- 
tacting the third party. In basic terms, our theorem shows that to whatever degree a 
protocol allows signers to avoid the third party, the protocol proportionally gives one 
signer unilateral control over the outcome of the protocol. 

To illustrate by example, consider an online stock trading protocol with signed con- 
tracts for each trade. Suppose the broker starts the protocol, sending her commitment to 
sell stock to the buyer at a specific price, and the buyer responds with his commitment. 
To ensure timely termination, the broker also enjoys the ability to abort the exchange 
by contacting the trusted third party (TTP) if the buyer has not responded. Once the 
buyer commits to the purchase, he cannot use the committed funds for other purposes. 
Even if he has the option to contact the TTP immediately, an optimistic buyer will wait 
for some period of time for the broker to respond, hoping to resolve the transaction 
amicably and avoid the extra cost or potential delay associated with contacting the TTP. 
This waiting period may give the broker a useful window of opportunity. Once she has 
the buyer’s commitment, the broker can wait to see if shares are available from a selling 
customer at a matching or lower price. The longer the buyer is inclined to wait, the 
greater chance the broker has to pair trades at a profit. If the broker finds the contract 
unprofitable, she can abort the transaction by falsely claiming to the TTP that the buyer 
has not responded. This broker strategy succeeds in proportion to the time that the buyer 




368 



R. Chadha et al. 



optimistically waits for the broker to continue the protocol; this time interval, if known 
exactly or approximately, gives the broker a period where she can decide unilaterally 
whether to abort or complete the exchange. 

Abuse-Freeness. Since advantage against an optimistic player cannot be eliminated, the 
most a protocol can do is prevent the opponent from proving that he has an advantage. 
For example, even though the broker in our example has control over deciding whether 
the sale happens, the protocol may still be able to prevent her from showing the buyer’s 
commitment to other parties. Such protocols have been called abuse-free in the litera- 
ture [18]. We use a formal representation of knowledge derived from epistemic logic [19, 
16] to formalize the “ability to prove” and analyze abuse-freeness as the lack of provable 
advantage. 

The paper is organized as follows. In Sect. 2, we briefly summarize our semantic frame- 
work and define the class of two-party contract signing protocols with trusted third party. 
In Sect. 3, we formalize protocol properties such as fairness, optimism, and timeliness. 
In Sect. 4, we formalize optimistic behavior of a participant, and show that the optimistic 
participant is at a disadvantage in any fair, optimistic, timely protocol. In Sect. 5, we 
formalize provable advantage and abuse-freeness. Related work is discussed in Sect. 6. 
We summarize our results in Sect. 7. 

2 Model 

2.1 Multiset Rewriting Formalism 

Our protocol formalism is multiset rewriting with existential quantification, MSR [10], 
which can be seen as an extension of some standard models of computation, e.g., mul- 
tiset transformation [4] and chemical abstract machine [6]. This formalism faithfully 
expresses the underlying assumptions of the untimed, nondeterministic, asynchronous 
model. A protocol definition in MSR defines the set of all possible execution traces for 
any instance of the protocol. A number of other formalisms that do so, such as [1,15] 
and others, would have suited our purposes as well, and in this sense our main results 
are independent of the MSR formalism. The synchronous model with a global clock 
does not seem appropriate for our investigation because fixed-round contract signing 
protocols in the literature [2,3,18,23,26] do not rely on a global clock. 

MSR syntax involves terms, facts, and rules. To specify a protocol, first choose a 
vocabulary, or first-order signature. We assume that our vocabulary contains some basic 
sorts such as public-key for public keys and mssg for protocol messages. As usual, the 
terms over a signature are the well-formed expressions produced by applying functions 
to arguments of the correct sort. A fact is a first-order atomic formula over the chosen 
signature, without free variables. Therefore, a fact is the result of applying a predicate 
symbol to ground terms of the correct sort. A state is a finite multiset of facts. 

A state transition is a rule written using two multisets of first-order atomic formulas 
and existential quantification, in the syntactic form Fi, ... ,Fk — 3x\ . . . 3xj.G\, . . . 
Gn. The meaning of this rule is that if some state S contains facts obtained by a ground 
substitution a from first-order atomic formulas Fi, . . . , Fk, then one possible next state 
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is the state S* that is similar to S, but with facts obtained by a from F\, ... ,Fk removed 
and facts obtained by a from G\, ... , Gn added, where xi, ... ,xj are replaced by new 
symbols. If there are free variables in the rule Fi, . . . , 3x\ . . . 3xj.Gi, . . . 

Gn, these are treated as universally quantified throughout the rule. In an application of 
a rule, these variables may be replaced by any ground terms. 

As an example, consider state {P{f{a)),P{b)} and rule P{x) — 3z.Q{f{x), z). 
The next state is obtained by instantiating this rule to F(/(a)) — >■ 3z.Q{f{f{a)), z). 
Applying the rule, we choose anew value c for z and replace F(/(a)) by Q{f{f{a)),c), 
obtaining the new state {Q{f {f (a)) , c) , P{b)} . 

Timer signals. In our model, timers are interpreted as local signals, used by participants 
to decide when to quit waiting for a message from the other party in the protocol. They do 
not refer to any global time or imply synchronicity. Timers are formalized by binary timer 
predicates, whose first argument is of the sort public Jtey and identifies the participant 
who receives its signal, while the second argument is one of the following three constants 
of the sort timer state: unset, set, and timedmut. 

Cryptography. Contract signing protocols usually employ cryptographic primitives. In 
general, the purpose of cryptography is to provide messages that are meaningful to some 
parties, but not subject to arbitrary (non-polynomial-time) computation by others. For 
example, encryption provides messages that are meaningful to any recipient with the 
decryption key, but not subject to decryption by any agent who does not possess the 
decryption key. The logic-based formalism of MSR cannot capture subtle distinctions 
between, for example, functions computable with high probability and functions com- 
putable with low or negligible probability. Instead, we must model functions as either 
feasibly computable, or not feasibly computable. 

For each operation used in a protocol, we assume there is some MSR characterization 
of its computability properties. To give a concrete framework for presenting these rules, 
let us assume some set of predicates V = {F“|a is any sort}. Since the sort a is 
determined by the sort of the arguments to F“, we will not write the sort when it is 
either irrelevant, or clear from context. Intuitively, a rule of the form 

F(si), . . . , P{sm),Fi,. ..,Fj — F(F), . ■ • , F(t„), Fi, . ..,Fj 

means that if an agent possesses data si , . . . , Sm, then under conditions specified by facts 
Fi, . . . , Fj, it is computationally feasible for him to also learn F, . . . , t„. For example, 
here are the familiar “Dolev-Yao” [13,25] rules given in [10]: 

P{x),P{k) — ^ F ( encrypt (/c, a:)) 

F(encrypt(/c, a;)), F(fc“^), Keypair(fc, ^ P{x) 

In the remainder of the paper, we assume some fixed theory Possess of rules that 
characterize the computationally feasible operations on messages. As a disclaimer, we 
emphasize that the results in this paper are accurate statements about a protocol using 
cryptographic primitives only to the extent that Possess accurately characterizes the 
computationally feasible operations. In particular, protocols that distinguish between 
low-order polynomial computation and high-order polynomial computation, or rely on 
probabilistic operations in some essential way, may fall outside the scope of our analysis 
and may conceivably violate some of our results. 
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2.2 Protocol Model 

We say that a protocol P is a contract signing protocol if it involves three parties, O 
(originator), R (responder), and T (trusted third party), and the goal of the protocol is to 
enable O (respectively, R) to obtain P’s signature (respectively, O’s signature) on some 
pre-agreed text. For brevity, we will say signature as a shorthand for “signature on the 
pre-agreed text,” use terms contract signing and signature exchange interchangeably, 
and refer to O and P as signers. We specify the protocol by a set of MSR rules, which 
we call a theory. Any sequence of rules consistent with the theory corresponds to a valid 
execution trace of a protocol instance. If execution traces are naturally arranged in trees, 
then the MSR theory defines the set of all possible execution traces as a forest of trees. 
To obtain the impossibility result, we choose any contract signing protocol P and fix 
it. We assume that the contract text for each instance contains a unique identifier, and 
consider only a single instance of P. 

A protocol theory P for the given protocol is the disjoint union of six theories: 
O , R,, To 1 ^timeouts ; r^timeouts. and Ttimeouts- ^Ve will refer to O, R,, To as role 
theories. Each role theory specifies one of the protocol roles by giving a finite list of role 
state predicates that define the internal states of the participant playing that role and the 
rules for advancing from state to state. Role theory also contains another, disjoint list 
of timer predicates describing the rules for the participant’s timers. A participant may 
advance his state by “looking” at the state of his timers or the network (i.e., a timer or 
a network predicate appears on the left side of the rule). He may also set his timer by 
changing the timer’s state from unset to set, but he may not change it to timed-Out. 

A timeout rule is a rule of the form Z{k, set) — >■ Z{k, timed.out) , where k is the 
public key of the participant associated with timer Z. In the protocol theory, Otimeouts> 
R-timeouts, and Ttimeouts are the sets of timeout rules for all timers of O, R, and T, 
respectively. For simplicity, we will combine the role theory and the timeouts of T, and 
call it T = To U Ttimeouts- 

Communication. Following the standard assumption that the adversary controls the net- 
work and records all messages, we model communication between O and i? by a unary 
network predicate N whose argument is of the sort mssg. Once a fact N{m) for some 
m is added to the state, it is never removed. As in contract signing protocols in the 
literature [3,18], we assume that channels between signers and T are inaccessible to the 
adversary and separate from the network between O and R (by contrast, [20] considers 
security of contract signing protocols under relaxed assumptions about channel secu- 
rity). Channels between signers and T are modeled by ternary TT P channel predicates, 
whose arguments are of the sort public-key, public-key and mssg, respectively. For 
example, tCo{ko, kt, m) models the channel between O and T carrying message m. 

Threat Model. We are interested in guarantees provided by contract signing protocols 
when one of the signers misbehaves in an arbitrary way. T is assumed to be honest. 
We will call the misbehaving signer the adversary. The adversary does not necessarily 
follow the protocol, and may ignore the state of the timers or stop prematurely. He may 
gather messages from the network, store them, decompose them into fragments and 
construct new messages from the fragments. These abilities are formalized by theories 
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Othreat and Rthreat Containing dishonest rules for O and R, respectively. Each rule 
models a particular dishonest operation. 

A protocol definition consists of the protocol theory P, theories Othreat and Rthreat, 
Possess theory which models computationally feasible operations on messages, and the 
initial set of facts Sq which contains the initial states of all participants and timers. Formal 
definition of protocol theory can be found in appendix A. Non-probabilistic hxed-round 
contract signing protocols in the literature such as [3,18] can all be defined in this way. 



2.3 Traces and Continuation Trees 

A state is a finite multiset of facts. For example, the initial state Sq may include facts 
Oo{ko, , kr,p) and Ro{kr, kf^ , ko,p) modeling the initial states of the originator 
and the responder in protocol p: each knows his own public and private keys, and the 
opponent’s public key. A trace from state S' is a chain of nodes, with the root labeled by 
S, each node labeled by a state, and each edge labeled by a triple {t, a, Q). Here Q is 
one of {O, R, T, Otimeouts, Rtimeouts, ^threat, Rthreatl, t ^ Q is a State transition 
rule, and cr is a ground substitution. If {t, a, Q) labels the edge from a node labeled by 
Si to a node labeled by S 2 , it must be the case that the application of f to Si cr produces 
S 2 . Any state labeling a node in this chain is said to be reachable from S. We will simply 
say that a state is reachable if it is reachable from the initial state Sq. 

An edge is a dishonest move of O if it is labeled by some t € Othreat- O is said be 
honest in the trace if there are no dishonest moves of O in the trace. If S is reachable 
by a trace in which O is honest, then S is reachable by honest O. The dehnitions for R 
are symmetric. Assuming that dishonest participants, if any, make only a hnite number 
of dishonest moves, let continuation tree ctr at state S be the hnite tree of all possible 
traces from S. This tree can be thought of as a game tree that represents the complete 
set of possible plays. Let ctr^o] be the tree obtained from ctr by removing all edges in 
O U Othreat along with their descendants. Intuitively, ctr[o] is the set of all possible 
plays if O stops participating in the protocol. Dehnition of ctr^nj is symmetric. We will 
say that any edge e in ctr that is labeled by a rule in O or Othreat (respectively, R or 
Rthreat), IS Under O ’s control (respectively, R’s control). To model optimism of honest 
signers (see Sect. 4), we will also assume that some edges in Otimeouts U Rtimeouts 
are under control of the dishonest participant. 



3 Properties of Contract Signing Protocols 

MSR dehnition of the protocol dehnes the set of all possible execution traces in the 
form of a continuation tree. To dehne protocol properties such as fairness, optimism, 
timeliness, and advantage, we view the continuation tree as a game tree containing all 
possible plays, and adapt the notion of strategy from classical game theory. 

For the remainder of the paper, we will assume that only one of the signers is honest. 
We will use A to refer to the honest signer, i.e., A refers to either O, or R, depending on 
which of them is honest. We’ll use B to refer to the other, dishonest signer. 
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3.1 Strategies 

Following [11], we formalize strategies as truncated continuation trees. Given a set of 
edges E, let ctr\E be the tree obtained from continuation tree ctr by removing the 
edges in E along with their descendants. Intuitively, if i? is a subset of edges of ctr 
under ^’s control, then ctr\E is the set of possible plays that result if A does not use 
transitions in E. Similarly, we can define ctr[A]\E (recall that ctr[A] is the tree of all 
plays if A stops participating in the protocol). 

Definition 1. Let S be a reachable state and let ctr be the continuation tree from S. Let 
XC{A,B,T}. 

1. If E is a subset of edges of ctr such that each edge in E is under the control of some 
p £ X, then ctr\E is said to be a strategy for the coalition X. If there are no dishonest 
moves of any p G X in ctr\E, then ctr\E is said to be an honest strategy. 

2. If E is a subset of edges of ctr]^A] such that each edge in E is under the control of 
some p G X, then ctr^A] \E is said to be an A-silent strategy for the coalition X. 

This definition corresponds to the standard game-theoretic notion of strategy. E 
represents the plays that the coalition X considers unfavorable, and ctr\E represents 
the continuations that X prefers. At any given state S' in ctr\E, an edge coming out of 
the node labeled by S' indicates the next move for X in accordance with the strategy 
ctr\E. If the edge is not under X’s control, then the next move for X is idling, i.e., 
waiting for others to move. 

To define fairness and other properties, we are interested in strategies in which the 
coalition X drives the protocol to a state in which some property holds: 

Definition 2. If there is a strategy ctr\Efrom S for coalition X such that all leaf nodes 
of ctr\E are labeled by states S' that satisfy some property 4>{S'), then X has a strategy 
from S to reach a state in which f holds. 

The definition for A-silent strategies is similar. 

Since the players’ objective in the game is to obtain each other’s signatures, we are 
interested in the states where A possesses B’s signature and the ones where B possesses 
A’s signature. Formally, B possesses some term m in a reachable state S' if tt is derivable, 
using the rules in Possess, from the terms in B’s internal role state predicate Bi in S 
and B’s additional memory in S given to him by the threat model. Possession is always 
monotonic. The definition for A is symmetric, except that the threat model does not have 
to be considered. 

Definition 3. If there is a strategy for coalition X such that all leaf nodes in the strategy 
are labeled by states in which A possesses B ’s signature, then X has a strategy from 
S to give A B’s signature. Moreover, if X = {A}, then A is said to have a strategy to 
obtain B’s signature. 

3.2 Fairness, Optimism, Timeliness, and Advantage 

We now use the notion of strategy to define what it means for a contract signing protocol 
to be fair, optimistic, and timely, and what it means for a participant to enjoy an advantage. 
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The definitions are quite subtle. For example, we need to draw the distinction between 
a strategy for achieving some outcome, and a possibility that the outcome will happen 
under the right circumstances. This requires introduction of a four-valued variable to 
characterize the degree of each player’s control over the protocol game. 

Fairness. Fairness is the basic symmetry property of an exchange protocol. There is a 
known impossibility result [14,24] demonstrating that no deterministic two-party proto- 
col can be fair. Therefore, fairness requires introduction of at least one other party, e.g., 
the trusted third party T. Our definition is equivalent to a common definition of fairness 
in terms of state reachability [18,1 1]. Intuitively, a protocol is fair for the honest signer 
A, if, whenever B has obtained ^’s signature, A has a strategy in coalition with T to 
obtain B’s signature. 

Definition 4. A protocol is fair for honest A if, for each state S reachable by honest 
A such that B possesses A’s signature in S, the coalition of A and T has an honest 
strategy from S to give A B’s signature for all bounds on the number of moves that a 
dishonest B makes. 

Advantage. Intuitively, fairness says that either both players obtain what they want, 
or neither does. This is not always sufficient, however. A player’s ability to decide 
unilaterally whether the transaction happens or not can be of great value in scenarios 
where resource commitment is important, such as online trading and auction bidding. 

To characterize the degree to which each participant controls the outcome of the 
protocol in a given state, we now define a pair of values rslvA, tsIvb associated with 
each reachable state. We are interested in what a participant may do in the worse possible 
case. Therefore, despite our assumption that A is honest, we will consider A’s dishonest 
moves when reasoning about A’s ability to control the outcome. 

Definition 5. Define rslvAfar any reachable state S as follows: 
rslvA{S) =2, if A has a strategy to obtain B’s signature for all bounds 
on the number of dishonest moves of B, 

= 1, if rslv a{S) 2, but A has a B-silent strategy to reach 

state S' such that rslv a{S') = 2, 

= if rslvA{S) {1)2}, but there is state S' reachable 
from S such that rslvA(S') = 2, and no transition on 
the S ^ S' path is in B U Bthreat. 

= 0, otherwise. 

The strategies need not be honest. Definition of rslv b is symmetric. 

Intuitively, rslvB{S) = 2 if B can obtain A’s signature no matter what A does, 1 
if B can obtain A’s signature provided A stops communicating and remains silent, 1 if 
there is a possibility (but no strategy) for B to obtain A’s signature when A is silent, and 
0 means that B cannot obtain A’s signature without A’s involvement. The difference 
between 1 and 1 is essential. For example, rslvB{S) = lif B can obtain A’s signature 
by sending a message to T as long as A is silent, while rslvB{S) = ^ if A is silent, but 
some previously sent message is already on the channel to T, and the outcome of the 
protocol depends on the race condition between this message and B’s message. 

Given an initial state S'o, we assume that rs(uA(<S'o) = rslcBiSo) = 0. The signature 

exchange problem is not meaningful otherwise. 




374 



R. Chadha et al. 



Definition 6. B has an abort strategy in S if B has a strategy to reach a state S' such 
that rslvA(S') = 0. B has a resolve strategy in S if B has a strategy to reach a state 
S" such that rslvsiS") = 2. B has an advantage in S if B has both an abort strategy 
and a resolve strategy. 

If B has an advantage in S, then A does not have an advantage in S, and vice versa. 

Optimism. Intuitively, a protocol is optimistic if it enables two honest parties to exchange 
signatures without involving the trusted third party, assuming they do not time out waiting 
for each other’s messages. Such protocols potentially provide a practical means of fair 
exchange between mistrusting agents without relying on a third party in most instances. 

We say that A does not send a message to T in the transition from S to S' if (i) 
the transition is an application of a rule in A U Athreat> and (ii) no fact created by the 
transition matches a term in the left hand side of a rule in T. 

Definition 7. A fair protocol is optimistic /or B if assuming A is honest and B controls 
the timeouts of both A and B, B has an honest strategy at Sq such that 

1) no messages are sent by any signer to T; 

2) every leaf node is labeled by a state in which B possesses A’s signature; 

3) there is a trace from So to a leaf node that involves only the transitions in A U B. 

Any trace in this strategy is an optimistic trace. Definition of optimistic for A is 
symmetric. A protocol is optimistic if it is optimistic for both signers. 

Our definition of optimism implies that the protocol specification does not permit 
honest participants to contact T nondeterministically, i.e., every rule that results in a 
message sent to T is conditional on some timer timing out. 

Timeliness. We now formalize the following intuition [3]: “one player cannot force the 
other to wait for any length of time — a fair and timely termination can always be forced 
by contacting the third party.” Timeliness has been emphasized by the designers of fair 
exchange protocols, since it is essential for practical use. In any state of the protocol, 
each participant should be able to terminate the exchange unilaterally. If he has not been 
able to obtain the other’s signature, he can always reach a terminal state where he can 
stop and be sure that the opponent will not be able to obtain his signature, either. 

Definition 8. A fair, optimistic protocol is timely for B if in every state on an opti- 
mistic trace B has an A-silent strategy to reach a state S' such that rslvA(S') = 0 or 
rslvB(S') = 2. A protocol is timely if it is timely for both signers. 

To illustrate the importance of timeliness, consider a protocol that is not timely, e.g., 
Boyd-Foo protocol [8]. In this protocol, originator O releases some information that can 
be used by responder R to obtain O’s signature from T at some later point. If R stops 
communicating, O is at his mercy. He may have to wait, possibly forever, before he 
learns whether the exchange has been successful. 

For the rest of this paper, we assume that the protocol is fair, timely, and optimistic 
for both signers. 
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4 Impossibility of Balance in Optimistic Protocols 

As explained in the introduction, optimistic contract signing protocols are only valuable 
insofar as they offer benefit to an optimistic participant. We say that the honest participant 
A is optimistic if, in any state where he is permitted by the protocol specification to contact 
trusted third party T, he waits for B’s response before contacting T. 

The propensity of the optimistic participant to wait for the opponent’s response before 
contacting T can be exploited by the opponent. Recall that definition 7 implies that an 
honest participant only contacts T after some timer times out. We use this to model 
optimism of A by giving B the ability to schedule the timeout rules of A by an “out- 
of-band” signal. In any implementation of the protocol, B does not actually schedule 
A’s timers. This is simply a technical device to restrict the set of execution traces under 
consideration to those that may occur when one of the participants is optimistic. 

Definition 6 can thus be extended to cases where A is optimistic by permitting B’s 
strategy to include control over timeouts of A and BAf B does not have a strategy for 
reaching a state where he has an advantage over an optimistic A, we say that the protocol 
is balanced for an optimistic A. As we will now show, balance cannot be achieved by 
any fair, timely, optimistic protocol. 

The first observation underlying our proof is that, in the interleaving semantics of 
concurrency used by our model, the order of application of state transition rules that 
affect independent parts of the system can be commuted. The second observation is that 
the strategies available to the dishonest player are not negatively affected by messages 
sent to him by the honest player or by the honest player’s timeouts because the dishonest 
player is free to ignore both. 

We start with an auxiliary proposition, which follows directly from definition 5. 

Proposition 1. Let S ^ S' be a state transition not in B U Bthreat- If rslv b{S) = 2, 
then rslvsiS') = 2. IfrslvA(S) = 0, then rslvA(S') = 0. 

Proposition 1 implies that if rslvA{S) = 0 and rslvA(S') > 0, then the S ^ S' 
transition must be in B U Bthreat- Similarly, if rslvsiS) = 0 and rslvB(S') > 0, then 
S' — S" is in A U Athreat- Intuitively, a player acquires some degree of control over 
the outcome of the protocol for the first time only because of the other player’s move. 

Just like we defined ctr[A] to be the tree obtained from ctr by removing all edges in 
A U Athreat, we define ctr[A+] to be the tree obtained from ctr by removing all edges 
in A U Athreat U Atimeouts- If is a selection of edges in ctri^A+] under B’s control, 
then ctr[A+]\E is a strategy available to S if A remains silent and no timers time out. 
We will call such a strategy weak A-silent strategy. 

Proposition 2. Let S ^ S' be a state transition in Atimeouts- B has a weak A-silent 
abort [resolve ] strategy at S' if and only ifB has a weak A-silent abort [resolve [ strategy 
at S. 

The proof of proposition 2 relies on the fact that the moves of B and T that constitute 
a weak A-silent strategy cannot depend on the state of A’s timers. 

Proposition 3. B has an A-silent abort [resolve] strategy at S if and only if B has a 
weak A-silent abort [ resolve ] strategy at S. 
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In the proof, we use proposition 2 to construct an A-silent strategy from a weak 
A-silent strategy by induction on the height of the continuation tree. Proposition 3 
establishes that the strategies available to the dishonest player are not negatively affected 
by the honest player’s timeouts. We now show that they are not affected by the honest 
player’s messages to the dishonest player. 

Lemma 1. Let S ^ S' be a transition in A U Athreat- If B has an A-silent abort 
[resolve ] strategy in S, and A does not send a message to T in the S ^ S' transition, 
then B has an A-silent abort [ resolve] strategy in S'. 

Proof. The proof, illustrating our general proof techniques, is in appendix B. 

We use lemma 1 to show that for each strategy conditional on A remaining silent, 
there is an equivalent strategy in which A is not silent, but B simply ignores A’s messages. 
The strategy works as long as A does not try to talk to T. 

Lemma 2. If B has an A-silent abort [resolve] strategy at S, and A does not send any 
messages to T, then B has an abort [resolve] strategy. 

Proof. (Omitted for space reasons). 

We now show that a strategy conditional on A not talking to T works against an 
optimistic A since he waits for B’s messages instead of trying to contact T. 

Lemma 3. Let S be a state that does not contain Z{k, timed-ouf) for any timer pred- 
icate Z. If B has an A-silent abort ] resolve ] strategy in state S, then B has an abort 
[resolve ] strategy against optimistic A in S. 

Proof. (Sketch) Definition 7 implies that an optimistic A contacts T only when some 
timer times out. B controls the timeouts of an optimistic A. Hence B can prevent A 
from sending any message to T. We then apply lemma 2. 

Theorem 1 (Impossibility of Balance). Let P be a fair, optimistic, timely protocol 
between signers A and B. If A is optimistic, then there is a non-initial state S* such that 
B has an advantage against an optimistic Aat S* . 

Proof. (Sketch) By definition 7, there is an optimistic trace from the initial state S'o which 
contains only the transitions in A U B and leads to S' such that rslv b {S') = 2. Consider 
the first transition S' — >■ 5* on this trace such that rslvsiS) = 0,rslvB{S*) > 0. 
Proposition 1 implies that this must be a transition in A U Athreat- By definition 7, A 
does not send a message to T anywhere in the trace, including this transition. 

By definition 8, B has an A-silent strategy to reach a state S” such that rslvA{S”) = 0 
or rslvB{S”) = 2. Since rslvB{S) = 0, it must be the case that rslvA{S”) = 0, i.e., 
B has an A-silent abort strategy. By lemma 1, B has an A-silent abort strategy in S*. 
Therefore, by lemma 3, B has an abort strategy against optimistic A in S'*. 

By definition 7, B has a strategy at Sq to obtain A’s signature since B controls the 
timeouts of A and B. Because S* is reached a part of this strategy (recall that the S ^ S* 
transition is on an optimistic trace), B also has a strategy to obtain A’s signature at S*. 
Hence B has a resolve strategy against optimistic A in S* . Since B has both abort and 
resolve strategies, B has an advantage against an optimistic A in 5*. □ 
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We’d like to emphasize that the result of theorem 1 is not a trivial “second-mover” 
advantage. A and B are not protocol roles, but simply notation for the honest and dis- 
honest participant, respectively. An optimistic participant is at a disadvantage regardless 
of the role he plays in the protocol. Even if he chooses the responder role, he will lose 
control over the outcome of the protocol at some point as long as he remains optimistic. 
For example, in Garay et al.’s abuse-free contract signing protocol [18], the originator 
enjoys the advantage over the responder, even though the responder is the first to receive 
information that potentially enables him to obtain the originator’s signature. 



5 Abuse-Free Protocols and Provable Advantage 

Theorem 1 states that any fair, optimistic, timely protocol necessarily provides a dis- 
honest participant with control over the outcome against an optimistic opponent. The 
problem may be alleviated by ensuring that no participant can prove to an outside party 
that he controls the outcome. Such protocols have been called abuse-free in the liter- 
ature [18], and concrete protocols [3,18] have been constructed using zero-knowledge 
cryptographic techniques such as verifiable signature escrows and designated-verifier 
proofs. To formalize “ability to prove,” we rely on a knowledge-theoretic framework 
borrowed from epistemic logic [19,16]. 

Reasoning about knowledge. Given a participant P and a reachable state S, let P’s view 
of S be the submultiset of S containing all the facts corresponding to role states in the role 
theory of P, timers of P and messages on P’s channels to other participants. Intuitively, 
this set represents all that P may observe in S. Given a trace tr from the initial state Sq 
to S, construct a new labeled chain by relabeling the nodes by P’s view of S. Relabel 
the edges not associated with P by e, which indicates that somebody other than P may 
have moved. Since P cannot observe other players’ moves, insert an e between any two 
consecutive edges labeled by rules of P (duplicate the node connecting these edges) as 
well as at the start and end of the trace. If there are two or more consecutive e edges, but 
P’s view does not change when moving across one of them, then delete that edge. The 
resulting chain tr' is called P’s observation of the protocol, Obsvp{S, tr). Intuitively, 
P’s observation is just P’s own history in the trace. 

In the spirit of algorithmic knowledge [16,22], observations Obsvp{S,P) and 
Obsvp{S*, tr*) are equivalent if they are computationally indistinguishable by P. 

Definition 9. Given a trace tr from Sq ending in S, we say that P knows in {S, tr) that 
logical formula F is true if 

i) F is true in S, and 

ii) for each trace tr* from Sq to S* such that Obsvp{S* , tr*) is indistinguishable by P 
from Obsvp{S, tr), F is true in S*. 

Intuitively, P knows that F is true if P holds in all possible executions of the protocol 
consistent with P’s observations. 

Abuse-freeness. To reason about abuse-freeness, we augment the protocol with an outside 
party C and consider his knowledge at different stages of the protocol. C does not possess 
the signers’ or the third party’s private keys, and obtains all of his evidence about the 
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protocol from one of the protocol participants, e.g., B, who forwards arbitrary messages 
to C in an attempt to cause C to know that A is participating in the protocol. 

Definition 10. B has provable advantage against A in state S if 

i ) B has an advantage over A at S, and 

ii) B can provide information, derived from the protocol execution up to S, that causes 
C to know that A is participating in the protocol. 

A protocol is abuse-free /or A if B has no provable advantage in any reachable state. 

Definition 10 is weaker than one might expect. If B enjoys an advantage at S, then 
in order for B to enjoy provable advantage, B merely has to prove ^’s participation in 
the protocol. B may succeed even if his protocol with A is already over. But since we are 
concerned with making the protocol as safe as possible for an optimistic A, the weaker 
definition is acceptable since it makes abuse-freeness (its negation) stronger. Combining 
theorem 1 and definition 10, we obtain 

Corollary 1. In any fair, optimistic, timely, abuse-free protocol between A and B, there 
is a trace tr from Sq to state S such that 

i ) B has an advantage over optimistic A at S, 

ii) C does not know in {S, tr) that A is participating in the protocol, i.e., there is another 
trace tr* from Sq to some S* such that Obsvc{S* , tr*) is indistinguishable by C from 
Obsvc{S, tr), and A is not participating in tr*. 



6 Related Work 

Previous game-theoretic approaches to the study of fair exchange [1 1,20,21] focused on 
formalizing fairness for the strongest possible honest player without taking optimism 
into account. In [20], fairness is formalized as the existence of a defense strategy for the 
honest player, which is not sufficient if the honest player faces nondeterministic choices 
in the protocol, as is the case in the abuse-free protocol of Garay et al. [18]. Another 
game-theoretic model was developed in [9], but it focuses mainly on economic equilibria 
in fair exchange. Cryptographic proofs of correctness by protocol designers [2,3,18] 
focus on basic fairness and ignore the issues of optimism and fundamental asymmetry 
of communication between the signers and the trusted third party. 

To the best of our knowledge, we are the first to apply an epistemic logic framework 
to formalize the “ability to prove” and thus abuse-freeness. In [27], belief logic SVO is 
used to reason about correctness of the non-repudiation protocol [26], but it is not clear 
how belief logics might apply to fairness and abuse-freeness. [21] models advantage, but 
not the concepts of proof and knowledge, which we believe provide a more compelling 
characterization of abuse-freeness. 

7 Conclusions and Further Work 

We have studied contract signing protocols in a game-theoretic model, giving precise, 
formal definitions of properties such as fairness and timeliness. We characterized op- 
timism of honest protocol participants using a form of out-of-band signal that forces 
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the optimistic player to wait for the opponent. While the out-of-band signal does not 
correspond to any realistic mechanism in distributed computation, it accurately reduces 
the set of protocol traces to those where the optimistic player waits for the opponent 
instead of contacting the trusted third party. 

Our main result is that in any fair, optimistic, timely protocol, an optimistic player 
yields an advantage to his opponent. This means that the opponent has both a strategy to 
complete the signature exchange and a strategy to keep the players from obtaining each 
other’s signatures. Since the protocol is fair, the outcome for both players is the same, 
but the player with an advantage can choose what this outcome is. This holds regardless 
of whether the optimistic player is the first or second mover. 

Since advantage cannot be eliminated, the best a protocol can do to protect optimistic 
participants is prevent the opponent from proving to any outside party that he has reached 
a position of advantage. This property is known as abuse-freeness. We define abuse- 
freeness using the concept of algorithmic knowledge adapted from epistemic logic to 
formalize what it means to “prove” something to an outside observer. 

One direction for further investigation involves the notion of trusted third party 
accountability. The relationship between our definitions and the cryptographic definitions 
of fairness [3] may also merit further study. Finally, we believe that our techniques will 
prove useful for investigating multi-party contract signing protocols. 
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A Role and Protocol Theories 

We assume that the vocabulary contains the following basic sorts: PK (for public keys), 
M (for messages), C (for pre-agreed contract texts), PI (for protocol instances), and UI 
(for globally unique instance identifiers, since we assume that each protocol instance has 
such an identifier). We also assume a function (_, _) : PK x PK x PK xCxUI — J 

PI, i.e., a protocol instance is determined by the signers’ public key, the key of the 
trusted third party, pre-agreed contract text, the and unique identifier. For example, 
p = {ko, kr, kt, TO, n) describes a protocol instance, identified as n, in which signers 
with public keys ko and kr exchange signatures on the pre-agreed text to with the help 
of the trusted third party whose key is kt- 
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Definition 11. Theory A is a role theory for participant A with public key ka, where ka 
is a constant of the sort PK, if it satisfies the following: 

i) A includes a finite list of predicates Aq, called role state predicates, and a 

finite list of timer predicates, called timers of A. The two lists are disjoint. 

ii) Aq is a binary predicate whose arguments are of the sort PK and PI, respectively. 
We call Aq the initial role state predicate. 

Hi) For each rule I ^ r in A, 

1. There is exactly one occurrence of a role state predicate in I, say Ai, and exactly 
one occurrence of a role state predicate in r, say Aj. Furthermore, it is the case that 
i < j. If Aq occurs in I, then Ao{ka,p) C I for some term p of the sort PI. 

2. If Aj is a k-ary role state predicate occurring in I, and Aj is an m-ary role state 
predicate occurring in r, then m > k. Furthermore, if Afiui, ... ,Uk) C I and 
Aj(v\, . . . , Vm) G k then Uq and Vq are the same terms for all \ < q < k. 

3. Let Ai{ui , . . . , Um) G I, Aj{v \, . . . , Vm) G r. Let MSG be the set of terms u such 
that N{u) or tc{k\, k 2 ,u) G I for some TTPchannel predicate tc. For each q, Vq is 
derivable from u\, . . . , Um and MSG using the rules in Possess. 

4. For each timer Z of A, 

i) I and r each contain at most one occurrence of Z. Occurrences are of the form 
Z(ka,ts), where ts is a constant of the sort timer state. If Z occurs in r, then it 
occurs in 1. 

ii) If Z{ka, unset) G I, then either Z{ka, unset) G r, or Z{ka, set) G r. 

Hi) If Z{ka, set) G I, then Z{ka,sef) G r. 

iv) If Z{ka,timed-Out) G I, then Z{ka,timedsuf) G r. 

5. If N{u) G I, where N is a network predicate and u is term of the sort M, then 
N{u) G r. If tc{ki,k 2 ,u) G I, where tc is a TTPchannel predicate, and terms 
ki, k 2 , u are of the sort PK, PK, M, respectively, then tc{k\, k 2 , u) G r. 

6. For any predicate V other than a role state, timer, network, or TTPchannel predicate, 
atomic formula V{ti, ..., t„) has the same occurrences in I as in r. 

Definition 12. If Z is a timer of the participant with public key ka, then Z{ka, set) — >■ 
Z{ka, timed-ouf) is the timeout rule of Z. 

Definition 13. Theory P is a protocol theory for signers O and R and trusted third 
party T with public keys ko,kr, kt, respectively, where ko,kr, kt are constants of the 
sort PK, ifP — O l±) R, l±) Tq l±) O^ij;n 0 outs ff-timeouts Ttimeouts> where 

1. 0,R,To are role theories for, respectively, O, R, T with public keys ko, kr, kt- 

2. At most one TTPchannel predicate, say tco, occurs in O. Each occurrence oftco is 
of the form tCo{ko, kt, m), where m is of the sort M, and tCo may not occur in R 

3. At most one TTPchannel predicate, say tcr, occurs in R Each occurrence oftcr is 
of the form tCr{kr, kt, m), where m is of the sort M, and tCr may not occur in O. 

4. If some TTPchannel predicate occurs in Tq, then it also occurs in O or R. 

5. The role state predicates and the timers of O (respectively, R) do not occur in R 
( respectively, O ) and Tq. The role state predicates and the timers ofT do not occur 
in O or R 

6. Otimeouts 7 R-timeoutsi and Ttimeouts are the sets of timeout rules of all timers of 
O, R, and T, respectively. 
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B Proof of Lemma 1 

Proof. We rely on the observation that state transition rules affecting independent parts 
of the system may be commuted. Intuitively, moves of B and T are independent of A’s 
internal state. Therefore, as long as A does not send any messages to T, B may ignore 
any message sent to him by A and follow the same strategy in S' as in S. In light of 
proposition 3, all we need to show is that B has a weak A-silent abort [resolve] strategy 
at S' if B has a weak A-silent abort [resolve] strategy at S. We prove this by induction 
on the height of the continuation tree at S. 

Base case: The height of the continuation tree at S is 0. The lemma is vacuously true. 
Induction hypothesis: Suppose the lemma is true for all states S such that the height of 
the continuation tree at S' is < n. 

Induction step: Consider state S such that i) the height of the continuation tree at S is 
n + 1, and ii) B has a weak ^-silent abort [resolve] strategy at S. 

Consider the continuation tree at S', and remove all edges that are in A U Athreat U 
Atimeouts along with their descendants. For each remaining edge e from S' to some 
state S", let t be the state transition rule labeling e and consider the following cases: 

Case 1." t G T. Since no message is sent to T in the S ^ S' transition, t can be applied 
at S as well, resulting in some state S. Observe that: 

i) the height of the continuation tree at S is < n; 

ii) B has a weak A-silent strategy at S; 

iii) S" can be obtained from S by the same transition that labels S ^ S': simply com- 
mute S — >■ S' and S' — >■ S" transitions. 

By the induction hypothesis, B has a weak A-silent strategy at S". Replace the contin- 
uation tree at S" by this strategy. 

Case 2.- 1 G B U Bthreat- There are three possibilities: 

2.1) t cannot be applied at S. Remove edge e along with its descendants. 

2.2) t can be applied at S, but it is not a part of the A-silent strategy at S. Remove edge 
e along with its descendants. 

2.3) t can be applied at S, and it is a part of the A-silent strategy at S. Then, as in Case 
1, replace the continuation tree at S" by this strategy. 

Case 3.' t G Btimeouts- If t is not a part of the A-silent strategy at S, remove edge e 
along with its descendants. If it is a part of the A-silent strategy, replace the continuation 
tree at S" by this strategy. 

By constructing the right continuation tree for any immediate descendant of S', we 
have constructed a weak A-silent strategy at S'. It remains to show that it is indeed an 
abort [resolve] strategy. There are two possibilities : 

Case A: The height of the constructed strategy is 0. From the construction, it follows 
that the height of the weak A-silent abort [resolve] strategy at S is also 0. Therefore, 
rslvA{S) = 0 [rslvB{S) = 2]. By proposition 1, rslvA(S') = 0 [rslvsiS') = 2]. 

Case B: The height of the constructed strategy is > 0. By construction, all leaf nodes 
are labeled by states S* such that rslvA{S*) = 0 [rslvB{S*) = 2]. 

We conclude that B has a weak A-silent abort [resolve] strategy at S', which completes 
the induction. □ 
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Abstract. A fully abstract denotational semantics for the higher-order 
process language HOPLA is presented. It characterises contextual and 
logical equivalence, the latter linking up with simulation. The semantics 
is a clean, domain-theoretic description of processes as downwards-closed 
sets of computation paths: the operations of HOPLA arise as syntactic 
encodings of canonical constructions on such sets; full abstraction is a 
direct consequence of expressiveness with respect to computation paths; 
and simple proofs of soundness and adequacy shows correspondence be- 
tween the denotational and operational semantics. 



1 Introduction 

HOPLA (Higher-Order Process LAnguage [19]) is an expressive language for 
higher-order nondeterministic processes. It has a straightforward operational se- 
mantics supporting a standard bisimulation congruence, and can directly encode 
calculi like CCS, higher-order CCS and mobile ambients with public names. The 
language came out of work on a linear domain theory for concurrency, based on 
a categorical model of linear logic and associated comonads [4,18], the comonad 
used for HOPLA being an exponential ! of linear logic. 

The denotational semantics given in [19] interpreted processes as presheaves. 
Here we consider a “path semantics” for HOPLA which allows us to charac- 
terise operationally the distinguishing power of the notion of computation path 
underlying the presheaf semantics (in contrast to the distinguishing power of 
the presheaf structure itself). Path semantics is similar to trace semantics [10] 
in that processes denote downwards-closed sets of computation paths and the 
corresponding notion of process equivalence, called path equivalence, is given by 
equality of such sets; computation paths, however, may have more structure than 
traditional traces. Indeed, we characterise contextual equivalence for HOPLA as 
path equivalence and show that this coincides with logical equivalence for a frag- 
ment of Hennessy-Milner logic which is characteristic for simulation equivalence 
in the case of image-finite processes [8]. 

To increase the expressiveness of HOPLA (for example, to include the type 
used in [24] for CCS with late value-passing), while still ensuring that every 
operation in the language has a canonical semantics, we decompose the “prefix- 
sum” type in [19] into a sum type and an anonymous action 
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prefix type !P. The sum type, also a product, is associated with injection (“tag- 
ging”) and projection term constructors, I3t and for P € A. The prefix type 
is associated with constructions of prefixing It and prefix match [u > !s t], 
subsuming the original terms p.t and [u > p.x t] using p\t and [tt^u > \x ^ t]. 

In Sect. 2 we present a domain theory of path sets, used in Sect. 3 to give a 
fully abstract denotational semantics to HOPLA. Section 4 presents the opera- 
tional semantics of HOPLA, essentially that of [19], and relates the denotational 
and operational semantics with pleasingly simple proofs of soundness and ade- 
quacy. Section 5 concludes with a discussion of related and future work. 



2 Domain Theory from Path Sets 

In the path semantics, processes are intuitively represented as collections of their 
computation paths. Paths are elements of preorders P, Q, . . . called path orders 
which function as process types, each describing the set of possible paths for 
processes of that type together with their sub-path ordering. A process of type 
P is then represented as a downwards-closed subset A C P, called a path set. 
Path sets A C P ordered by inclusion form the elements of the poset P which 
we’ll think of as a domain of meanings of processes of type P. 

The poset P has many interesting properties. First of all, it is a conylete 
lattice with joins given by union. In the sense of Hennessy and Plotkin [7], P is a 
“nondeterministic domain”, with joins used to interpret nondeterministic sums 
of processes. Accordingly, given a family of elements of P, we sometimes 

write Ei^jXi for their join. A typical finite join is written Ai -I- • • • -I- Xj~ while 
the empty join is the empty path set, the inactive process, written 0. 

A second important property of P is that any A G P is the join of certain 
“prime” elements below it; P is a prime algebraic complete lattice [16]. Primes 
are down-closures ypp = {p' : p' <p p} of individual elements p G P, representing 
a process that may perform the computation path p. The map yp reflects as well 
as preserves order, so that p <p p' iff ypp C ypp', and yp thus “embeds” P in 
P. We clearly have ypp C A iff p G A and prime algebraicity of P amounts to 
saying that any A G P is the union of its elements: 



^ = UpexyrP- ( 1 ) 

Finally, P is characterised abstractly as the free join- completion of P, meaning 
(i) it is join-complete and (ii) given any join-complete poset C and a monotone 
map / : P — >■ C, there is a unique join-preserving map /^ : P — >■ C such that the 
diagram on the left below commutes. 



P 







(2) 



We call p the extension of f along yp. Uniqueness of p follows from (1). 
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Notice that we may instantiate C to any poset of the form Q, drawing our 
attention to join-preserving maps P — >■ Q. By the freeness property (2), join- 
preserving maps P — >■ Q are in bijective correspondence with monotone maps 
P — >■ Q. Each element F of Q can be represented using its “characteristic func- 
tion”, a monotone map fy ■ 0°*^ — >■ 2 from the opposite order to the simple 
poset 0 < 1 such that Y = {q : fyq = 1} and Q = [Q°p, 2]. Uncurrying then 
yields the following chain: 

[P, Q] ^ [P, [Q°P, 2]] ^ [P X Q°P, 2] = [(P°P X Q)°P, 2] ^ P^pTq . (3) 

So the order P°p x Q provides a function space type. We’ll now investigate what 
additional type structure is at hand. 

2.1 Linear and Continuous Categories 

Write Lin for the category with path orders P, Q, . . . as objects and join-pre- 
serving maps P — >■ Q as arrows. It turns out Lin has enough structure to be 
understood as a categorical model of Girard’s linear logic [5,22]. Accordingly, 
we’ll call arrows of Lin linear maps. 

Linear maps are represented by elements of P°p x Q and so by downwards- 
closed subsets of the order P°p x Q. This relational presentation exposes an 
involution central in understanding Lin as a categorical model of classical linear 
logic. The involution of linear logic, yielding P-*- on an object P, is given by 
P°P; clearly, downwards-closed subsets of P°p x Q correspond to downwards- 
closed subsets of (Q°P)°P x P°p, showing how maps P — >■ Q correspond to maps 
Q-L P-L in Lin. The tensor product of P and Q is given by the product 
of preorders P x Q; the singleton order lb is a unit for tensor. Linear function 
space P ^ Q is then obtained as P°p x Q. Products P & Q are given by P -I- Q, 
the disjoint juxtaposition of preorders. An element of P&Q can be identified 
with a pair (AT, F) with A G P and F G Q, which provides the projections 
7Ti : P & Q — >■ P and 7T2 : P & Q — >■ Q in Lin. More general, not just binary, 
products &jgjPj with projections tt^, for j G I, are defined similarly. From the 
universal property of products, a collection of maps /^ : P — >■ P^, for i G /, can be 
tupled together to form a unique map (/Jig/ : P — >■ with the property 

that TTj o {fi)i^i = fj for all j G I. The empty product is given by the empty 
order O and, as the terminal object, is associated with unique maps 0p : P — >■ O, 
constantly 0, for any path order P. All told, Lin is a *-autonomous category, 
so a symmetric monoidal closed category with a dualising object, and has finite 
products as required by Seely’s definition of a model of linear logic [22] . 

In fact, Lin also has all coproducts, also given on objects P and Q by the 
juxtaposition P -I- Q and so coinciding with products. Injection maps ini '■ P 
P -I- Q and in 2 : Q — >■ P -I- Q in Lin derive from the obvious injections into the 
disjoint sum of preorders. The empty coproduct is the empty order O which 
is then a zero object. This collapse of products and coproducts highlights that 
Lin has arbitrary biproducts. Via the isomorphism Lin(P, Q) = P°p x Q, each 
homset of Lin can be seen as a commutative monoid with neutral element the 
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always 0 map, itself written 0 : P — >■ Q, and sum given by union, written +. 
Composition in Lin is bilinear in that, given /, /' : P — >■ Q and g, : Q — >■ K, we 
have {g + g') o if + f) = g o f + g ° f + g' o f + g' ° f ■ Further, given a family 
of objects (Pajag^, we have for each [3 G A & diagram 

7T/3 o inp = Ivp , 

P /3 ^ ; SoK^A^a such that tt /3 o iua = 0 if a yf /?, and (4) 

UaeA[ina 0 7!"a) = ■ 

Processes of type ifag^Pa may intuitively perform computation paths in any of 
the component path orders Pa- 

We see that Lin is rich in structure. But linear maps alone are too restrictive. 
Being join-preserving, they in particular preserve the empty join. So, unlike 
e.g. prefixing, linear maps always send the inactive process 0 to itself. Looking 
for a broader notion of maps between nondeterministic domains we follow the 
discipline of linear logic and consider non-linear maps, i.e. maps whose domain 
is under an exponential, !. One choice of a suitable exponential for Lin is got 
by taking !P to be the preorder obtained as the free finite-join completion of 
P. Concretely, !P can be defined to have finite subsets of P as elements with 
ordering given by ^p, defined for arbitrary subsets X,Y of P as follows: 

X <^=^def Vp G X.3q G Y.p <p q . (5) 

When !P is quotiented by the equivalence induced by the preorder we obtain a 
poset which is the free finite-join completion of P. By further using the obvious 
inclusion of this completion into P, we get a map tp : !P — >■ P sending a finite 
set {pi, ... ,Pn} to the join yppi -I- • • • -I- ypPn- Such finite sums of primes are 
the finite (isolated, compact) elements of P. The map ip assumes the role of yp 
above. For any X G P and P G !P, we have ipP X lA P Yp X, and X is the 
directed join of the finite elements below it: 

X = '^vP ■ (6) 

Further, P is the free directed-join completion of !P (also known as the ideal 
completion of !P). This means that given any monotone map / : !P — >■ (7 for 
some directed-join complete poset C, there is a unique directed-join preserving 
(i.e. Scott continuous) map /^ : P — >■ C such that the diagram below commutes. 

f^X = [JpA.xfP ■ ( 7 ) 



Uniqueness of /^, called the extension of f along ip, follows from (6). As before, 
we can replace C by a nondeterministic domain Q and by the freeness properties 
(2) and (7), there is a bijective correspondence between linear maps !P — >■ Q and 
continuous maps P — >■ Q. 
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We define the category Cts to have path orders P, Q, . . . as objects and 
continuous maps P — >■ Q as arrows. These arrows allow more process operations, 
including prefixing, to be expressed. The structure of Cts is induced by that of 
Lin via an adjunction between the two categories. 



2.2 An Adjunction 

As linear maps are continuous, Cts has Lin as a sub-category, one which shares 
the same objects. We saw above that there is a bijection 

Lin(!P,Q) ^ Cts(P,Q) . (8) 

This is in fact natural in P and Q so an adjunction with the inclusion Lin ‘-s- Cts 
as right adjoint. Via (7) the map yip : !P — >• !P extends to a map ryp = yfp : P — >■ !P 
in Cts. Conversely, ip : !P — >■ P extends to a map £p = ij. : !P — >■ P in Lin using 
(2). These maps are the unit and counit, respectively, of the adjunction: 

??pV = £pV = Upgx (®) 

The left adjoint is the functor ! : Cts — >■ Lin given on arrows f : P —>■ Q 
by (r/Q o f o ip)f : !P — >• !Q. The bijection (8) then maps g : !P — >■ Q in Lin 
tog=(/o77p:P— >-Qin Cts while its inverse maps / : P — >■ Q in Cts to 
/ = £q o !/ in Lin. We call g and / the transpose of g and /, respectively; of 
course, transposing twice yields back the original map. As Lin is a sub-category 
of Cts, the counit is also a map in Cts. We have £p o jtp = Ip and bp < r/p o ep 
for all objects P. 

Right adjoints preserve products, and so Cts has products given as in Lin. 
Hence, Cts is a symmetric monoidal category like Lin, and in fact, our adjunc- 
tion is symmetric monoidal. In detail, there are isomorphisms of path orders, 

fc : lb = !0 and mp_Q : !P x !Q = !(P & Q) , (10) 

with mp^Q mapping a pair (P, Q) G !P x !Q to the union ini P U m 2 Q', any 
element of !(P & Q) can be written on this form. These isomorphisms induce 
isomorphisms with the same names in Lin with m natural. Moreover, k and m 
commute with the associativity, symmetry and unit maps of Lin and Cts, such 
as Sp Q : P X Q = Q X P and Tq*® : Q & O = Q, making ! symmetric monoidal. 
It then follows [13] that the inclusion Lin ^ Cts is symmetric monoidal as 
well, and that the unit and counit are monoidal transformations. Thus, there 
are maps 

I : O ^ IP and np,Q : P & Q — >■ P x Q (11) 

in Cts, with n natural, corresponding to k and m above; I maps 0 to {*} while 
np_Q is the extension of the map h{ini PU m 2 Q) = ipP x iqQ. Also, the unit 
makes the diagrams below commute and the counit satisfies similar properties. 



P&Q 



!P& K 



^^!P,!Q 



^ !F X !d 






!(P&( 




(12) 
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The diagram on the left can be written as strp^q o (Ip & t/q) = r/p&Q where str, 
the strength of ! viewed as a monad on Cts, is the natural transformation 

P&!q^!^!P&!q^!^!Px !Q^^!(P&Q) . (13) 

Finally, recall that the category Lin is symmetric monoidal closed so that 
the functor (Q ^ — ) is right adjoint to (— x Q) for any object Q. Together with 
the natural isomorphism m this provides a right adjoint (Q — >■ — ), defined by 
(!Q ^ — ), to the functor (— & Q) in Cts via the chain 

Cts(P&Q,K) ^ Lin(!(P&Q),M) ^ Lin(!P x !Q,M) 

^ Lin(!P, !Q ^ M) ^ Cts(P, !Q ^ R) = Cts(P, Q ^ R) (14) 

— natural in P and R. This demonstrates that Cts is cartesian closed, as is well 
known. The adjunction between Lin and Cts now satisfies the conditions put 
forward by Benton for a categorical model of intuitionistic linear logic, strength- 
ening those of Seely [1,22]; see also [13] for a recent survey of such models. 

3 Denotational Semantics 

HOPLA is directly suggested by the structure of Cts. The language is typed 
with types given by the grammar 

T ::= Ti ^ T2 I ] !T ] T ] ^,f.f . (15) 

The symbol T is drawn from a set of type variables used in defining recursive 

types; closed type expressions are interpreted as path orders. Using vector no- 
tation, /ijT.T abbreviates HjTi,... ,Tfc.(Ti,... ,Tfc) and is interpreted as the 
j-component, for 1 < j < fc, of “the least” solution to the defining equations 

Ti = Ti,... , Tfc = Tfc, in which the expressions Ti,... ,Tfc may contain the 

Tj’s. We shall write iiT.T as an abbreviation for the fc-tuple with j-component 
fijT.T, and confuse a closed expression for a path order with the path order itself. 
Simultaneous recursive equations for path orders can be solved using informa- 
tion systems [21,12]. Here, it will be convenient to give a concrete, inductive 
characterisation based on a language of paths: 

p, q ::= P 1 -^ q \ Pp \ P \ absp . (16) 

Above, P ranges over finite sets of paths. We use P i— >■ g as notation for pairs in 
the function space (!P)°p x Q. The language is complemented by formation rules 
using judgements p : P, meaning that p belongs to P, displayed below on top of 
rules defining the ordering on P using judgements p <r p'- Recall that P P' 
means Vp G P3p' G P'. p <p p'. 

P : \F q : Q p : Pp /3 G A pi:P---p„:P p : Tj[p,T.T/T] 

P I— >■ g : P — >■ Q Pp : Sa^A^a {pi, • • ■ jPn} : !1P absp : /ijP.T 

P' Pp P q' P 3Pf) p' P Pp P' P P 

P ^ q <pm-Q P' g' Pp <Ea,^APc Pp' P <!P P' P .f P' 




Full Abstraction for HOPLA 



389 



Using information systems as in [12] yields the same representation, except 
for the tagging with ahs in recursive types, done to help in the proof of ad- 
equacy in Sect. 4.1. So rather than the straight equality between a recursive 
type and its unfolding which we are used to from [12], we get an isomorphism 
ahs : Tj[iif.T/f] = ^jT.T whose inverse we call rep. 

As an example consider the type of CCS processes given in [19] as the path 
order P satisfying P = Ao-g^ilP where A is a set of CCS actions. The elements of 
P then have the form ahs {(3P) where P € A and P is a finite set of paths from P. 
Intuitively, a CCS process can perform such a path if it can perform the action 
P and, following that, is able to perform each path in P. 

The raw syntax of HOPLA terms is given by 

t, u ::= X I rec x.t \ \ Xx.t \t u\pt\ | !t | [u > la; t] | ahs t \ rep t . (17) 

The variables x in the terms rec x.t, Xx.t, and [u > lx ^ t] are binding oc- 
currences with scope t. We shall take for granted an understanding of free and 
bound variables, and substitution on raw terms. 

Let Pi, . . . ,Pfc,Q be closed type expressions and assume that the variables 
xi,. . . ,Xk are distinct. A syntactic judgement a:i : Pi, . . . : P^ h t : Q stands 

for a map |a;i : Pi, . . . ,Xk : Pfc h t : Q] : Pi& - • -fePfe — >■ Q in Cts. We’ll write P, 
or A, for an environment list a;i : Pi, . . . , Xfc : P^ and most often abbreviate the 
denotation to Pi & • • • & Pfc -4 Q, or T -4 Q, or even |t], suppressing the typing 
information. When the environment list is empty, the corresponding product is 
the empty path order O. 

The term-formation rules are displayed below alongside their interpretations 
as constructors on maps of Cts, taking the maps denoted by the premises to 
that denoted by the conclusion (cf. [2]). We assume that the variables in any 
environment list which appears are distinct. 

Structural rules. The rules handling environment lists are given as follows: 



X : P h a; : P 


F Pl^F 


(18) 


Th t : Q 




(19) 


r, X : P h t : Q 


r&P Q&O Q 


P, y : Q, X : F , A \- t : M. 


T&Q&P& A Am 


(20) 


P, X : F , y : Q, A \- t : M. 


r & P & Q & A M 


P,x : F,y : F F t : Q 


T&P&P Aq 


(21) 


P,z:FF t[z/x,z/y] : Q 


r & p T & p & p A Q 



In the formation rule for contraction (21), the variable z must be fresh; the map 
Ap is the usual diagonal, given as (Ip, Ip). 

Recursive definition. Since each P is a complete lattice, it admits least fixed- 
points of continuous maps. If / : P — >■ P is continuous, it has a least fixed-point. 
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fix f G F obtained as Below, fix f is the fixpoint in Cts(r, P) = 

r’ — >■ P of the continuous operation / mapping g : F — >■ P in Cts to the compo- 
sition |t] o (Ip ^ g) o Ap. 



r,x:FFt:F T&pAp 

r h rec x.t : P p p 



(22) 



Nondeterministic sum. Each path order P is associated with a join operation, 
S : j P — >■ P in Cts taking a tuple {ti)i^i to the join in P. We’ll write 

0 and ti -I- • • • -I- tfc for finite sums. 



FFtj-.F dll j Gl r all j G / 

FF Si^iti'.F p {tj)i£p P P 



(23) 



Function space. As noted at the end of Sect. 2.2, the category Cts is cartesian 
closed with function space P — >■ Q. Thus, there is a 1-1 correspondence curry 
from maps P & Q — >■ K to maps P — >■ (Q — >■ R) in Cts; its inverse is called 
uncurry. We obtain application, app : (P — >■ Q) & P — >■ Q as uncurry . 



r, a; : P h t : Q 
F h \x.t : P — >• Q 

Tht:P— >-Q AF u :F 
F, A F t u : Q 



t&pAq 

tAp^q aAp 

Ft A ^ (P Q) & P ^ Q 



(24) 

(25) 



Sum type. The category Cts does not have coproducts, but we can build a useful 
sum type out of the biproduct of Lin. The properties of (4) are obviously also 
satisfied in Cts, even though the construction is universal only in the subcategory 
of linear maps because composition is generally not bilinear in Cts. We’ll write O 

and Pi -I hPfc for the empty and finite sum types. The product Pi &P 2 of [19] 

with pairing (t, u) and projection terms fst t, snd t can be encoded, respectively, 
as the type Pi -I- P 2 , and the terms It -I- 2u and irfi, TT 2 t. 



FFt:F/3 Pg A 


r A P^ Pg A 


(26) 


F F fit : Fa^AFa 




F F t : SasAFa P G A 


F — > Scc^aFci P G a 


(27) 


FF TT/st: Ffj 


F A A„e^P„ ^ P^ 



Prefixing. The adjunction between Lin and Cts provides a type constructor, 
!(— ), for which the unit ryp : P — >■ !P and counit £p : !P — >■ P may interpret term 
constructors and deconstructors, respectively. The behaviour of rp with respect 
to maps of Cts fits that of an anonymous prefix operation. We’ll say that rp 
maps u of type P to a “prefixed” process \u of type !P; intuitively, the process 
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!u will be able to perform an action, which we call !, before continuing as u. 

rhu:P fAp 

rh!u:!P r^P^lP 

By the universal property of rjp, if t of type Q has a free variable of type P, and 
so is interpreted as a map t : P — >• Q in Cts, then the transpose t = sq o !t is 
the unique map !P — >■ Q in Lin such that t = t o r/p. With u of type !P, we’ll 
write \u > \x ^ t] for tu. Intuitively, this construction “tests” or matches u 
against the pattern \x and passes the results of successful matches for x on to t. 
Indeed, first prefixing a term u of type P and then matching yields a successful 
match u for x as t{rjpu) = tu. By linearity of t, the possibly multiple results of 
successful matches are nondeterministically summed together; the denotations 
of [Si^jUi > \x ^ t] and Si^i[ui > \x ^ t] are identical. 

The above clearly generalises to the case where u is an open term, but if t 
has free variables other than x, we need to make use of the strength map (13): 



r,x:PPt:Q AhM:!P T&pAq AAIP 

T,yl h [u > la; ^ t] : Q p k A T t \P \{r tP) Q 

Recursive types. Folding and unfolding recursive types is accompanied by term 
constructors abs and rep: 



rPt: Tj[fif.f/f] 
r h abs t : pLjT.T 

r P t : pLjT.T 
r h rep t : Tj [/i'T.T/'T] 



r A Tj[fif.f/f] 
r A Tj[p,f.f/f] ^^f.f 
r A Hjf.f 

r A Hjf.f ^ Tj[pT.f/f] 



(30) 

(31) 



3.1 Useful Equivalences 

We provide some technical results about the path semantics which are used in 
the proof of soundness. Proposition 10. Proofs can be found in [20]. 

Lemma 1 (Substitution). Suppose F,x : P P t : Q and AP u :P with F 
and A disjoint. Then F,AP t[u/x] : Q with denotation given by the composition 
ltjo{lrkluj). 

Corollary 2. If F,x : P P t : P, then F h t[recx.t/x\ : P and |recx.t] = 
|t[rec x.t/x]] so recursion amounts to unfolding. 



Corollary 3. Application amounts to substitution. In the situation of the sub- 
stitution lemma, we have |(Ax.t) m] = p[u/x]]. 
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Proposition 4. From the properties of the biproduct and by linearity of injec- 
tions and projections, we get: 



hpiPt)} = w 

l'^aWt)j=0 ifa^P 
|r„gAa(7ra(t))l = |t] 






Proposition 5. The prefix match satisfies the properties 

|[!u > !a; ^ t]j = lt[u/x]j 
l[SieiUi > \x ^ t]] = fS^eilui > !a; ^ t]j 



(33) 



3.2 Full Abstraction 

We define a program to be a closed term t of type !0. A {F,fj -program context 
(7 is a term with holes into which a term t with F \- t : ¥ may be put to form a 
program h C{t) : !0. The denotational semantics gives rise to a type-respecting 
contextual preorder [15]: 

Definition 6. Suppose F \- ti : F and F F t 2 '■ F. We say that t\ and t 2 are 
related by contextual preorder, written t\ G t 2 , iff for all {F,F)-program contexts 
C, we have |C'(ti)] yf 0 |C'(f 2 )l ^ ^ ■ If both ti G t 2 and t 2 £ ti, we say 

that t\ and t 2 are contextually equivalent. 

Contextual equivalence coincides with path equivalence: 

Theorem 7 (Full abstraction). For any terms F F ti :F and F F t 2 '-F, 

[til ^ 1 ^ 2 ! ti £ t2 ■ (34) 

Proof. Suppose |ti] C pa] and let C be a {F, P)-program context with |C(ti)] yf 
0. As |ti] C 1 ^ 2 ] we have [C(t 2 )l y^ 0 by monotonicity, and so ti C t 2 as wanted. 

Now suppose that ti ^t 2 - With p : P we define closed terms tp of type P and 
(O, P)-program contexts Cp that respectively “realise” and “consume” the path 
p, by induction on the structure of p. We’ll also need realisers t'p and consumers 
C'p of finite sets of paths: 

tp^g = XX.[Cp{x) > !X' ^ tg] Cp^g = C g{~ tp) 

^(3p — Cp{7^^ ) 

tp = It'p Cp = [— > !cc Cp{x)] 

tabsp = abstp Cabsp = Cpi^TCp ) (35) 

^{pi,... ,Pn} = ^Pl + ■ ■ ■ + ^Pn 

C{pi,... ,p„} = [Cpi > !x ^ ^ [Cp„ > !x ^ !0] • • • ] 

Note that t '0 = 0 and C '0 = !0. Although the syntax of t'p and C'p depends on a 
choice of permutation of the elements of P, the semantics obtained for different 
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P : t[recx.t/x] A- t' 
P : rec x.t A t' 



P : A t' 

P : ^ 






Q : t[u/x] A t' 

P ^ Q : Xx.t t' 



¥^Q:t t' 

Q : t M A P 



P;3 : t A f' r^gAPc 

AsaPc A : ^ 

Tj[^f.f/f] : f A f' 

: abst-^^ t' 



!P : u — >■ m' Q : t\u' /x] A t' 
!P : !t A t Q : [m > !x => t] A t' 

: t t' 

Tj[pf.f/f] : rep t A- t' 



Fig. 1. Operational rules 



permutations is the same. Indeed, we have (z being a fresh variable): 

[fpl = ypP IA2.Cp(z)l = yp^!o(M ^ 0) 

Ppl = ipP l\z.Cp{z)j = yp^\o{P H> 0) 

Suppose ti and t 2 are closed. Given any p G |ti] we have |Gp(ti)] yf 0 and so 
using ti G t 2 , we get IGp(t 2 )l 0, so that p G |t 2 l- It follows that |fi] C p 2 ]. 

As for open terms, suppose F = x\ : Pi, ... ,Xk ■ Pfe. Writing Xx.ti for the 
closed term Axi. • • • Xxk-ti and likewise for t 2 , we get 

ti £ t2 Af.ti G \x.t2 lAx.ti] C |Af.t2l [Gl C P 2 I • (37) 

The proof is complete. □ 



4 Operational Semantics 

HOPLA can be given an operational semantics using actions defined by 

a ::= u 1 -^ a \ Pa \ I \ abs a . (38) 

We assign types to actions a using a judgement of the form P : a : P'. Intuitively, 
performing the action a turns a process of type P into a process of type Pb 

hu:P Q:a:P' P^:a:P' /3 gA Tj[/rf.f/f] : a : P' 

P ^ Q : u a : r : /3a : P' !P : ! : P ^^f.f : o&s a : P' 

Notice that in P : a : P', the type P' is unique given P and a. The operational 
rules of Fig. 1 define a relation P : t A t' where h t : P and P : a : P'.^ An easy 
rule induction shows 

Proposition 8. //P : t A t' with P : a : P', then Ft' : P'. 

Accordingly, we’ll write P : t A t' : P' when P : t A f' and P : a : P'. 

^ The explicit types in the operational rules were missing in the rules given in [19]. 
They are needed to ensure that the types of t and a agree in transitions. 
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4.1 Soundness and Adequacy 

For each action P : a : P' we define a linear map a* : P — >■ !P' which intuitively 
maps a process t of type P to a representation of its possible successors after 
performing the action a. In order to distinguish between, say, the successor 0 
and no successors, a* embeds into the type !P' rather than using P' itself. For 
instance, the successors after action ! of the processes !0 and 0 are, respectively, 
!*|!0] = 1 !p(t7p0) = r]p0 and !*|0] = lip0 = 0. It will be convenient to treat 
a* as a syntactic operation and so we define a term a*t such that |a*t] = a* ft]: 

(m I— >■ a)* = a* o app o (— & |m]) 

(Pa)* = a* o TTfj 

!* = lip 

{ahs a)* = a* o rep 

The role of a* is to reduce the action a to a prefix action. Formally the reduction 
is captured by the lemma below, proved by structural induction on a: 

Lemma 9. F : t A t' : P' !P' : a*t -4 t' : P'. 

Note that the reduction is done uniformly at all types using deconstructor con- 
texts: application, projection, and unfolding. This explains the somewhat mys- 
terious function space actions m i— >■ a. A similar use of labels to carry context 
information appears e.g. in [6]. 

Soundness says that the operational notion of “successor” is included in the 
semantic notion. The proof is by rule induction on the transition rules, see [20]. 

Proposition 10 (Soundness). IfP : t A t' :P', then 77p'|F] C a*|t]. 

We obtain a corresponding adequacy result using logical relations A <p t be- 
tween subsets A C P and closed terms of type P. Intuitively, X <p t means 
that all paths in A can be “operationally realised” by t. Because of recursive 
types, these relations cannot be defined by structural induction on the type P 
and we therefore employ a trick essentially due to Martin-L6f (see [23], Ch. 13). 
We define auxiliary relations p cp t between paths p : P and closed terms t of 
type P, by induction on the structure of p: 

A t 4=^>def Vp G A. p ep t 
P ^ q ep_,.Q t 4=^def Vm. (P <p u q eqtu) 

Pp eSa€APa t "^=^def P ep^ (41) 

P eip t 4=^>def IP : t t' : P and P ^p t' 
abs p t < — >def P e-pj [^f .f / t] ’’’^P ^ 

The main lemma below is proved by structural induction on terms, see [20]. 
Lemma 11. Suppose h t : P. Then |t] <p t. 



{u I— >■ a)*t = a*{t u) 
{Pa)*t = a* Apt) 

n = t 

{abs a)*t = a* {rep t) 



(40) 
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Proposition 12 (Adequacy). Suppose h t : P and P : a : P'. Then 

a*|t] ^ 0 3t'. P : t A : P' (42) 

Proof. The “«1=” direction follows from soundness. Assume a*|f] 0. Then 

because a*|t] is a downwards-closed subset of !P' which has least element 0, we 
must have 0 G a* PI - Thus 0 e\p/ a*t by Lemma 11, which implies the existence 
of a term t' such that !P' : a*t — > t' : P'. By Lemma 9 we have P : t A f' : P'. □ 



4.2 Full Abstraction w.r.t. Operational Semantics 

Adequacy allows an operational formulation of contextual equivalence. If t is a 
program, we write t— > if there exists t' such that !0 : t — >■ t' : O. We then have 
t-A iff p] yf 0 by adequacy. Hence, two terms ti and t 2 with P \- ti : P and 
T h ^2 : P are related by contextual preorder iff for all (T, P)-program contexts 
C, we have C(ti)— >■ (7(^2)— >• 

Full abstraction is often formulated in terms of this operational preorder. 
With t\ and t 2 as above, the inclusion pi] C p 2 | holds iffpor all (T, P)-program 
contexts C, we have the implication C'(ti)— > (7(^2)— >• 



4.3 Simulation 

The path semantics does not capture enough of the branching behaviour of pro- 
cesses to characterise bisimilarity (for that, the presheaf semantics is needed, 
see [11,19]). As an example, the processes !0 -I- !!0 and !!0 have the same deno- 
tation, but are clearly not bisimilar. However, using Hennessy-Milner logic we 
can link path equivalence to simulation. In detail, we consider the fragment of 
Hennessy-Milner logic given by possibility and finite conjunctions; it is charac- 
teristic for simulation equivalence in the case of image-finite processes [8] . With 
a ranging over actions, formulae are given by 

4>::= {a)(j>\ . (43) 

The empty conjunction is written T. We type formulae using judgements f : P, 
the idea being that only processes of type P should be described by (/) : P. 

P : a : P' (f> : </>i : P alH < n 

(a)p:P 

The notion of satisfaction, written 1 1= ^ : P, is defined by 

t N (a)(1) : P 3t'. P : t A t' : P' and t' N (/> : P' 

t N Ai<n t \= (fi ■. ¥ ior each i <n . 



Note that T : P and 1 1= T : P for all h t : P. 



(45) 

(46) 
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Definition 13 . Closed terms ti,t2 of the same type P are related by logical 
preorder, written ti Gl ^2; iff for all formulae (j) : ¥ we have t\ \= 4> \ 

^2 P 0 : P- d/ both ti Cl t2 and t2 £l ti, we say that t\ and t2 are logically 
equivalent . 

To each formula (/) : P we can construct a (O, P)-program context with the 
property that 

Cfff)—^ 1 1= 0 : P . (47) 



Define 



^ ff) 5 

C((}a)4> = C(^a)4>{'^0~) ^ 



C(\)4, = [- > !x ^ C^{x)] 

C(^absa)(j) = C(^a)(f){,rep ) , 



^Ni<n ^ ^ [C0„ > !x ^ !0] • • • ] . 



(48) 



Corollary 14 . For closed terms t\ and t2 of the same type, 



ti £ t2 ti Cl t2 ■ (49) 

Proof. The direction “=>” follows from (47) and the remarks of Sect. 4.2. As for 
the converse, we observe that the program contexts Cp of the full abstraction 
proof in Sect. 3.2 are all subsumed by the contexts above. Thus, if t\ Cl ^ 2 , then 
[til ^ 1 ^ 2 ! and so t\ C t 2 by full abstraction. □ 

5 Related and Future Work 

Matthew Hennessy’s fully abstract semantics for higher-order CCS [9] is a path 
semantics, and what we have presented here can be seen as a generalisation of 
his work via the translation of higher-order CCS into HOPLA, see [19]. 

The presheaf semantics originally ^iven for HOPLA is a refined version of 
the path semantics. A path set A G P can be seen to give a “yes/no answer” 
to the question of whether or not a path p G P can be realised by the process 
(cf. the representation in Sect. 2 of path sets as monotone maps P°p — >■ 2). A 
presheaf over P is a functor P°p — >■ Set to the category of sets and functions, 
and gives instead a set of “realisers” , saying how a path may be realised. This 
extra information can be used to obtain refined versions of the proofs of sound- 
ness and adequacy, giving hope of extending the full abstraction result to a 
characterisation of bisimilarity, possibly in terms of open maps [11]. 

Replacing the exponential ! by a “lifting” comonad yields a model Aff of 
affine linear logic and an affine version of HOPLA, again with a fully abstract 
path semantics [20] . The tensor operation of Aff can be understood as a simple 
parallel composition of event structures [17]. Thus, the affine language holds 
promise of extending our approach to “independence” models like Petri nets or 
event structures in which computation paths are partial orders of events. Work 
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is in progress to provide an operational semantics for this language together with 
results similar to those obtained here. 

Being a higher-order process language, HOPLA allows process passing and so 
can express certain forms of mobility, in particular that present in the ambient 
calculus with public names [3,19]. Another kind of mobility, mobility of com- 
munication links, arises from name-generation as in the 7r-calculus [14]. Inspired 
by HOPLA, Francesco Zappa Nardelli and GW have defined a higher-order pro- 
cess language with name-generation, allowing encodings of full ambient calculus 
and TT-calculus. Bisimulation properties and semantic underpinnings are being 
developed [25]. 

References 

1. P.N. Benton. A mixed linear and non-linear logic: proofs, terms and models 
(extended abstract). In Proc. CSL’94, LNCS 933. 

2. T. Brauner. An Axiomatic Approach to Adequacy. Ph.D. Dissertation, University 
of Aarhus, 1996. BRIGS Dissertation Series DS-96-4. 

3. L. Cardelli and A.D. Gordon. Anytime, anywhere: modal logics for mobile ambi- 
ents. In Proc. POPL’OO. 

4. G.L. Gattani and G. Winskel. Profunctors, open maps and bisimulation. 
Manuscript, 2000. 

5. J.-Y. Girard. Linear logic. Theoretical Computer Science, 50(1):1-102, 1987. 

6. A.D. Gordon. Bisimilarity as a theory of functional programming. In Proc. 
MFPS’95, ENTCS 1. 

7. M.C.B. Hennessy and G.D. Plotkin. Full abstraction for a simple parallel pro- 
gramming language. In Proc. MFCS’79, LNCS 74. 

8. M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. 
Journal of the ACM, 32(1):137-161, 1985. 

9. M. Hennessy. A fully abstract denotational model for higher-order processes. 
Information and Computation, 112(l):55-95, 1994. 

10. C.A.R. Hoare. A Model for Communicating Sequential Processes. Technical mono- 
graph, PRG-22, University of Oxford Computing Laboratory, 1981. 

11. A. Joyal, M. Nielsen, and G. Winskel. Bisimulation from open maps. Information 
and Computation, 127:164-185, 1996. 

12. K.G. Larsen and G. Winskel. Using information systems to solve recursive domain 
equations effectively. In Proc. Semantics of Data Types, 1984, LNCS 173. 

13. P.-A. Mellies. Categorical models of linear logic revisited. Submitted to Theoret- 
ical Computer Science, 2002. 

14. R. Milner, J. Parrow and D. Walker. A calculus of mobile processes, parts I and 
II. Information and Computation, 100(l):l-77, 1992. 

15. J.H. Morris. Lambda- Calculus Models of Programming Languages. PhD thesis, 
MIT, 1968. 

16. M. Nielsen, G. Plotkin and G. Winskel. Petri nets, event structures and domains, 
part I. Theoretical Computer Science, 13(1):85-108, 1981. 

17. M. Nygaard. Towards an operational understanding of presheaf models. Progress 
report. University of Aarhus, 2001. 

18. M. Nygaard and G. Winskel. Linearity in process languages. In Proc. LICS’02. 

19. M. Nygaard and G. Winskel. HOPLA — a higher-order process language. In Proc. 
CONCUR’02, LNCS 2421. 




398 M. Nygaard and G. Winskel 



20. M. Nygaard and G. Winskel. Domain theory for concurrency. Submitted to 
Theoretical Computer Science, 2003. 

21. D.S. Scott. Domains for denotational semantics. In Proc. ICALP’82, LNCS 140. 

22. R.A.G. Seely. Linear logic, *-autonomous categories and cofree coalgebras. In 
Proc. Categories in Computer Science and Logic, 1987. 

23. G. Winskel. The Formal Semantics of Programming Languages. MIT Press, 1993. 

24. G. Winskel. A presheaf semantics of value-passing processes. In Proc. CON- 
CUR’96, LNCS 1119. 

25. G. Winskel and F. Zappa Nardelli. Manuscript, 2003. 




Modeling Consensus in a Process Calculus* 



Uwe Nestmann^, Rachele Fuzzati^, and Massimo Merro^ 

^ EPFL, Switzerland 
^ University of Verona, Italy 



Abstract. We give a process calculus model that formalizes a well- 
known algorithm (introduced by Chandra and Toueg) solving consensus 
in the presence of a particular class of failure detectors (05); we use our 
model to formally prove that the algorithm satisfies its specification. 



1 Introduction and Summary 

This paper serves the following purposes: (1) to report on the first formal proof 
known to us of a Consensus algorithm developed by Chandra and Toueg using a 
particular style of failure detectors [CT96]; (2) to demonstrate the feasibility of 
using process calculi to carry out solid proofs for such algorithms; (3) to report 
on an operational semantics model for failure detectors that is easier to use in 
proofs than the original one based on so-called failure patterns. 

Distributed Consensus. In the field of Distributed Algorithms, a widely-used 
computation model is based on asynchronous communication between a fixed 
number n of connected processes, where no timing assumptions can be made. 
Moreover, processes are subject to crash-failure: once crashed, they do not re- 
cover. The Distributed Consensus problem is well-known in this field: initially, 
each process proposes some value; eventually, all processes who do not happen 
to crash shall agree on one of the proposed values. More precisely. Consensus is 
specified by the following three properties on possible runs of a system. 

Termination: Every correct process (eventually) decides some value. 
Validity: If a process decides v, then v was proposed by some process. 
Agreement: No two correct processes decide differently. 

Here, a process is called correct in a given run, if it does not crash in this run. 
An important impossibility result states that Consensus cannot be solved in the 
aforementioned computation model when even a single process may fail [FLP85]. 
Since this impossibility result, several refinements of the computation model 
have been developed to overcome it. One of them is the addition of unreliable 
failure detectors (FD), i.e., modules attached to each process that can be locally 
queried to find out whether another process is currently locally suspected to 
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have crashed [CT96,CHT96]. FDs are unreliable in that they may have wrong 
suspicions, they may disagree among themselves, and they may change their 
suspicions at any time. To become useful, the behavior of FDs is constrained 
by abstract reliability properties about (i) the guaranteed suspicion of crashed 
processes, and (ii) the guaranteed non-suspicion of correct processes. Obviously, 
due to the run-based definition of correctness of processes, also these constraints 
are expressed over runs. A number of different combinations of FD-constraints 
were proposed in [CT96], one pair of which is commonly referred to as C'S: 

Strong Completeness (SC): Eventually every process that crashes is perma- 
nently suspected by (the FD of) every correct process. 

Eventual Weak Accuracy (EWA): There is a time after which some correct 
process is never suspected by (the FD of) any correct process. 

Chandra and Toueg also provide an algorithm - using pseudo-code, without for- 
mal semantics - in the context of FDs satisfying the reliability constraints of OS. 
The algorithm solves Consensus under the condition that a majority of 

processes are correct. It proceeds in rounds and is based on the rotating coor- 
dinator paradigm: for each round number, a single process is predetermined to 
play a coordinator role, while all other processes in this round play the role of 
participants. Each of the n processes counts rounds locally and knows at any 
time, who is the coordinator of its current round. Note that, due to asynchrony, 
any such system may easily reach states, in which all processes are in different 
rounds. Each round proceeds in four phases, in which (1) each participant sends 
to the coordinator of its current round its current estimate of the consensus 
value stamped with the round number at which it adopted this estimate; (2) the 
coordinator waits for sufficiently many estimates to arrive, selects one of those 
with the highest stamp; this is the round proposal that is distributed to the par- 
ticipants; (3) each participant either waits for the coordinator’s round-proposal 
or, if this is currently permitted by its local FD, suspects the coordinator - in 
both cases, participants then send (positive or negative) acknowledgments to 
the coordinator and proceed to the next round; (4) the coordinator waits for 
sufficiently many acknowledgments; if they are all positive it proceeds to the de- 
cision, otherwise it proceeds to the next round. “Deciding on a value” means to 
send the value to all processes using Reliable Broadcast (RB). The reception of 
an RB-message is called RB-deZzuer?/; processes may RB-deliver independent of 
their current round and phase. On RB-delivery, a process “officially” decides on 
the broadcast value. Note that also the broadcast-initiator must perform RB- 
delivery. Since RB satisfies a termination property, every non-crashed process 
will eventually receive the broadcast messages. 

Intuitively the algorithm works because coordinators always wait for a ma- 
jority of messages before they proceed (which is why, to ensure the computation 
is non-blocking, strictly less than the majority are allowed to crash). Once a 
majority of processes have positively acknowledged in the same round, the co- 
ordinator’s proposal of that round is said to be locked: if ever “after” another 
majority positively acknowledges, it will be for the very same value, thus sat- 
isfying Agreement. If some coordinator manages to get these acknowledgments 
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and survives until RB-delivery, the algorithm also satisfies Termination. The in- 
terest in having a FD with OS is the guarantee (EWA) that eventually there 
will be a correct process that is never again suspected, thus will be positively 
acknowledged when playing the coordinator. OS also gives the guarantee (SC) 
that such a process will indeed be able to reach a round in which it plays the 
coordinator role. More detailed proofs of termination, validity, and agreement, 
are given in natural language and found in [CT96]. We found them reasonable, 
but hard to follow and very hard to formally verify. 

Our first main criticism is that the pseudo-code does not have a formal se- 
mantics. Thus, there is no well-defined way to generate system runs, which are 
the base of the FD and Consensus properties. To tackle this problem, many years 
of research on concurrency theory provide us with a variety of decent formalisms 
that only need to be extended to also model failures and their detection. 

Our second main criticism is more subtle. Some proofs of properties over 
runs make heavy reference to the concept of rounds, e.g., using induction on 
round numbers, although the relation between runs and asynchronous rounds 
is never clarified. This is problematic! Typically, such an induction starts with 
the smallest round in which some property X holds, e.g., in which a majority 
has positively acknowledged. In a given run, to find this starting point one may 
take the initial state and search from there for the first state in which X holds 
for some round. However, this procedure is not correct. It may well be that 
at a later state of the run, X holds for a smaller roundl Accordingly, when 
the induction proceeds to a higher round, it might go backwards in time along a 
system run. Therefore, the concept of time - and of iteration along a run - is not 
fully compatible with the concept of asynchronous rounds. The solution, rather 
implicit in [CT96] , is to consider runs as a whole, ignoring when events happen, 
just noting that they happened. In other words, we should pick a sufficiently 
advanced state of a given run (for example the last one in a finite run), and then 
find an appropriately abstract way to reason about its possible past. Summing 
up, the proofs would profit much from a global view on system states and their 
past that provides us with precise information about what processes have been 
in which round in the past, and what they precisely did when they were there. 

Our Approach. We provide a process calculus setting that faithfully captures the 
asynchronous process model. We equip this model with an operational control 
over crash-failure and FD properties (§2). However, instead of OS, for which the 
algorithm was designed, we use the following FD [CHT96]: 

Eventual Perpetual Uniform Trust (17) There is a time after which all the 

(correct) processes always trust the same correct process. 

The FDs 17 and 05 are equivalent in the sense that one can be used to imple- 
ment the other, and vice versa. Although 12 was introduced only to simplify the 
minimality proofs of [CHT96], it turns out to be more natural to develop our 
operational model for it rather than for OS. (Briefly, instead of keeping track of 
loads of useless unreliable suspicion information, 17 only requires to model small 
amounts of reliable trust information.) We then model the Consensus algorithm 
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as a term in this calculus (§3), allowing us in principle to analyze its properties 
over runs generated by its local-view formal operational semantics. However, we 
do not do this as one might expect by iteration along system runs, showing the 
preservation of invariants. Instead, in order to formally deal with the round ab- 
straction, we develop a global- view matrix-like representation of reachable states 
that contains the complete history of message sent “up to now” (§4). Also for 
this abstraction, we provide a formal semantics, and we use it instead of the 
local- view semantics to prove the Consensus properties (§5). The key justifica- 
tion for this approach is a very tight formal operational correspondence proof 
between the local-view process semantics and the global-view matrix semantics. 
It exploits slightly non-standard process calculus technology (see the full paper). 

Contributions. One novelty is the operational modeling of FD properties. 

However, the essential novelty is the formal global-view matrix representa- 
tion of the reachable states of a Consensus system that formally captures the 
round abstraction. It allowed us to bridge the gap between the local-view code 
and semantics describing the algorithm on the one hand, and the round-based 
reasoning that enables comprehensible structured proofs on the other hand. 

Another contribution is that some proofs of [CT96], especially for Agreement, 
can now be considered as being formalized. Instead of trying to directly formalize 
Termination, we came up with different proof ideas for it (Theorem 2). 

Conclusion. The matrix semantics provides us with a tractable way to perform 
a formal analysis of this past, according to when and which messages have been 
sent in the various earlier rounds. 

We use process calculus and operational semantics to justify proofs via global 
views that are based on the abstraction of rounds. In fact, this round-based global 
view of a system acts as a vehicle for many proofs about distributed algorithms, 
while to our knowledge it has never been formally justified and thus remained 
rather vague. Thus, we expect that our contribution will not only be valuable for 
this particular verification exercise, but also generally improve the understanding 
of distributed algorithms in asynchronous systems. 

Related Work. We are only aware of a formal model and verification of Random- 
ized Consensus using probabilistic I/O-automata [PSLOO]. 

Future Work. Apart from this application-oriented work, we have also modeled 
the other failure detectors of [CT96]. We are currently working on the formal 
comparison of our representation to theirs. This work is independent of the 
language used to describe the algorithms that make use of failure detectors. 

It would also be interesting to study extensions of our operational semantics 
setting for failure detectors towards more dynamic mobile systems. 
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2 The Process Calculus Model 



We use a simple distributed asynchronous value-passing process calculus; name- 
passing is not needed for static process groups. We use an extension with named 
sites inspired by Berger and Honda [BHOO], but unlike them we do not have 
to model message loss. Our notion of sites also resembles the locations of Dtt 
[RHO l] and the Nomadic pi calculus [WSOO]. For convenience, we also employ 
site-local purely signaling synchronous actions. We do not need the usual restric- 
tion operator, because we are going to study only internal transitions. 



V ::= X 1 i 


1 t 


1 f 


M ::= d{v) 






a ::= a{x) | 


^ 1 


susp^- 


G ::= G+G \ 


a.P 


1 0 


P ::= P\P 1 


Y(u) 


1 M 


N ::= N\N \ 


t[P] 


1 M 



f(0) I ... 

I a I a 

I G I if u then P else P 



where process constants Y are associated with defining equations Y(i) := P, 
which also gives us recursion. I C V is a set of site identifiers (metavariables 
i,j, k, n) , for which we simply take a subset of the natural numbers Nat equipped 
with standard operations like equality and modulo. { t, f } C V is the set of 
boolean values. The set V of value expressions (metavariable v) contains various 
operations on sets and lists, like addition, extraction, arity, and comparison. 
We also use a function eval that performs the deterministic evaluation of value 
expressions. By abuse of notation, we use all value metavariables (and x) also as 
input variables. Names N (metavariable a) are different from values (NflV = 0). 

We use G, P, and N, to refer to the sets of terms generated by the respective 
non-terminal symbols for guards G, local processes P, and networks N. Sites i[P] 
are named and may be syntactically distributed over terms; sometimes, we refer 
to them as processes. The interpretation of all operators is standard [BHOO]. For 
actions susp^, see the explanation and formal semantics later on. We include 
both synchronous signals (a, d) and asynchronous messages M with matching 
receivers; for simplicity, we do not introduce separate syntactic categories for 
respective channels. As usual, parallel composition is associative and commuta- 
tive; with finite indexing sets / we use Oie/ abbreviation for the arbitrarily 
ordered and nested parallel composition of the Pi, and similar for Hie / 



Structural Equivalence. The relation (=) is defined as the smallest equivalence 
relation generated by the laws of the commutative monoids (G, -|-, 0 ), (P, |, 0 ), 
and (N, |,0), the law i[Pi] \ i[P 2 ] (=) *[F’i|^ 2 ] that defines the scope of sites, the 
straightforward laws induced by evaluation of value expressions: 

— if u then Pi else P 2 (=) Pi if eval(u) = t. 




404 



U. Nestmann, R. Fuzzati, and M. Merro 



Table 1. Network transitions 



(tau) i[r.P + G] ^^i[P] (SUSPECT?) i[snsp..P + G] 

(com) i[ a.Pi+Gi I a.P 2 + G 2 ] i[ Pi \ P 2 ] 

(snd) i[M]^^M (RCv) a{y) \ i[a{x).P + G] i[P{ys:}] 



N N N N' N' N' 






— \f V then Pi else P 2 (=) P 2 if eval(w) = f, 

— a{v) (=) a(eval(ii)), Y(v) (=) Y(eval({;)); 

— Y{v) (4 P{%} if Y(i) := P, 

and that is preserved within non-prefix contexts. The inclusion of conditional 
resolution and recursion unfolding within structural equivalence is to allow us to 
have the transition relation defined below to deal exclusively with interactions. 
However, an unconstrained use of (=) quickly leads to problems when applying 
equivalence laws in an unintended direction. Thus, for proofs, we replace the 
relation (=) and the rule (str) of Table 1 with a directed {normalized) version. 

Network Transitions. Transitions on networks are generated by the laws in Ta- 
ble 1. Each transition ii@i is labeled by the action /i G {r, susp^j and the site 
identifier i indicating the site required for the action. The communication of 
asynchronous messages takes two steps: once they are sent, i.e., appear at top- 
level on a site, they need to leave the sender site (snd) into the buffering “ether”; 
once in the ether, they may be received by a process on the target site (rcv). 

Without definition (see the full paper for details), let denote the nor- 

malized transition relation that we get when using a directed structural relation; 
this relation is defined on the subset of normalized network terms N". 

Environment Transitions. By adding an environment component P to networks, 
we model both failures and their detection, as well as “trust” in the sense of 17. 
Environments P := (TI,C) contain (i) information about sites t G Tl C I that 
have become trusted forever and immortal, so they can no longer be suspected 
nor crash, and (ii) information about sites t G C C I that have already crashed. 

Environments are updated according to the rules in Table 2. Rule (trust) 
models the instant at which (according to 17) processes become trusted - in 
our model they also become immortal: they will be “correct” in every possible 
future. Rule (crash) keeps track of processes that crash and is subject to 
an upper bound: for instance, the Consensus algorithm of [CT96] is supposed 
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Table 2. Environment transitions 



(trust) 



i^TluC 

(TI,C) -> (Tlu{i},C) 



(crash) 



i^TluC |C| < 

(TI,C) ^ (TI,Cu{i» 



Table 3. System transitions 



(detect) 



r ^ r' 



r h iv r' h AT 



(act) 



i i c 



N ^N' 



(TI,C) \- N ^ (TI,C) h N' 



(suspect!) 



N 



N' j ^ Tl 



(TI,C) \- N ^ (T1,C) h N' 



to work correctly only under the constraint that at most processes may 

crash. 

System Transitions. Configurations are pairs of the form T \- N . Their transi- 
tions come either from the environment T (detect), modeling the unconstrained 
occurrence of its transitions, or they come from the network N. In this case, the 
environment must explicitly permit the network actions. Rule (act) guarantees 
that only non-crashed sites may act. Rule (suspect!) provides the model for 
suspicions: a site j may only be suspected by a process on another (different) 
non-crashed site i and - which is crucial - the suspected site must not be trusted. 
Note that suspicions in this model are “very unreliable” since every non-trusted 
site may be suspected from within any non-crashed site at any time. 

Runs. FD properties are based on the notion of run. In our language, runs are 
complete (in)finite sequences of transitions (denoted by — >■*) starting in some 
initial configuration (0,0) F N. According to [CT96], a process is called correct 
in a given run, if it does not crash in that run. There is a close relation between 
this notion and the environment information in states of system runs. 

Lemma 1 (Correctness in System Runs). 

1. If R is the run (0,0) FAq — >■* (TI,C)F7VyF then: 

- *GTI tffi is correct in R; i € C iff i is not correct in R. 

- |TI|>n-L^J, |C| < L^J, and Tl W C = { 1.., n } . 

2. If R is the run (0,0) FAq — >* (TI,C)FA^ ihen: 

- Ifi€T\, then i is correct in R. If i & C, then i is not correct in R. 

- |TI| > |C| < L^J; and Tl a C C {l..,n}. 

Proof (Sketch). By the rules of Table 2 and rule (suspect!) in Table 3. □ 
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For finite runs, Lemma 1(1) states that in final states all decisions concerning 
“life” and “death” are taken. For intermediate states of infinite runs, Lemma 1(2) 
provides us with only partial but nevertheless reliable information. 

Our operational representation of the FD 12 consists of two parts: (i) the 
above rule (suspect!), and (ii) a condition on runs that at least one site must 
eventually become trusted and immortal (for the current run) such that it cannot 
be suspected afterwards and will turn out to be correct. 

Definition 1 (12-Runs). Let R be a run starting in (0,0)hA^o- 
R is called 12-run z/(0, 0)hiVo — >* (TI,C)l-iV is a prefix of R with Tl 0. 

The condition Tl 0 means that, for at least one transition in the run R, the rule 
(trust) must have been applied. In 12-runs, it is sufficient to check a syntactic 
condition on states that guarantees the absence of subsequent unpermitted sus- 
picions. In contrast, the original FD model requires to carefully check that after 
some hypothetical (not syntactically indicated) time all occurrences of suspicion 
steps do not address a particular process that happens to be correct in this run 
by analyzing every single step of the run. Thus, our operational FD model con- 
siderably simplifies the analysis of runs. The formal comparison of operational 
models and the original history-based models is ongoing work, in which we also 
address the remaining failure detector classes introduced in [CT96] . 



3 Solving Consensus with 17-Detection 

Table 4 shows the Consensus algorithm of [CT96] represented as the process 
calculus term Consensus(^y^ When no confusion is possible, we may omit 
the initial values (ui..,u„). We use the notation Y” as an abbreviation for both 
Yi{i,v) and Yi{i,v), so the subscript is part of the constant while the super- 
scripts represent formal/ actual parameters. The subscript must, in fact, also be 
considered part of the parameters, because we will access it in the body, but 
since we never change this parameter, we omit it in the abbreviation. 

Let n be the number of processes, and crd(r) := ((r— 1) mod n)-|-l denote the 
coordinator of round r. represents participant i in round r with current 

estimate v dating back to round s, and a list L of messages previously received 
from other participants (see below). Y^ itself ranges over Pl^, P2i, P4i, Ri,Zi for 
i = crd(r), and over Pl^, P3i, Ri for i yf crd(r). is part of the RB-protocol: it 
is the component that “decides” and re-broadcasts on RB-delivery. 

All protocol participants are interconnected; we use separate channel names 
(cli,c2i,c3i) for the messages sent in the first three phases, and further channel 
names for broadcasting (bi) and announcing decisions {decidci). For convenience, 
we use site-indexed channel names, but note that the indices i are only virtual: 
they are considered to be part of the indivisible channel name. In addition to 
these 5*n asynchronous channels, we use n synchronous channels {undecidedi) , 
also “indexed”. We use the latter to conveniently avoid fairness conditions on 
runs concerning the reception of the otherwise asynchronous signals. We include 
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Table 4. Consensus 



ConsensMS(„i,.,„„) H 4 p]^i.«i,o,0 | q, 
i=i L J 



=*clcrd(r)(*,»', w,s) I if i=crd(r) then 

P2p«,.,l drf.^ ^ 



else PSr 



then cli (i) . P2^ 






else r.( Yl c2fc(/c, r, best(LJ)) | P4. 

^ ij^k=i 



r,best(L^),r,L 



) 



p^r, v.s.L drf If ^ 0 

then fc2i (i) . 



. / , \ I ^7',Val(Lo ) ,T,L \ 

else r.( cScvd(r){^,r,t} \ R. ) 



SUSp„d(r) • ( C3„d(r)(i,f,f) | 



p^r,v,s,L drf.^ ^ 



then c3i (i) . P4[ 



r,t),s,(3,5)::L 



else if /\ bool(/) then r.( Yl bk(i,k,l^r,v) \ ) else R' 



^r,v,r,L 






:,L def 



= 0 



<M y^jidecidedi . PlI 



r+l,i),s,L 



Di =* 



undecidedi . Di + 6i (j, •, m, r , u) . ^ decidei(j, t, m, r, u) | H bk{i,k,2,r,v)'^ 



some redundant information (gray-shaded in Table 4) within messages - espe- 
cially about the sender and receiver identification - such that we can easily and 
uniquely distinguish messages. We also add some r-steps, which are only there 
to facilitate the presentation of some of the proofs. 

Behaviors. In the 1st phase, we send our current estimate and de- 

pending on whether we are coordinator of our round, we move to phase 2 or 3. 

In the 2nd phase, we (P2[’’^’®’^) wait for sufficiently many 3rd-phase estimate 
messages for our current round r. Once we have them, we determine the best 
one among them (see below), and we impose its value as the one to adopt 
in the round r by sending it to everybody else. (As a slight optimization of 
[CT96], we do not send the proposal to ourselves, and also we do not send an 
acknowledgment to ourselves, assuming that we agree with our own proposal.) 
Remembering the just proposed value, we then move to phase 4. 

In the 3rd phase, we (P3[’’^’*’^) are waiting for the proposal from the coor- 
dinator of our current round r. As soon as it arrives, we positively acknowledge 
it, and (try to) restart and move to the next round. As long as it has not yet 
arrived, we may also have the possibility to suspect the coordinator in order to 
move on; in this case, we continue with our old value and stamp. 
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In the 4th phase, we wait for sufficiently many 3rd-phase acknowl- 

edgment messages for our current round r. Once we have them, we check whether 
they are all positive. If yes, then we launch reliable broadcast by sending our 
decision value v on all bk', it becomes reliable only through the definition of 
on the receiver side of the bk- If no, then we simply try to restart. 

If we want to restart, we must get the explicit permission from our 

broadcast controller process along the local synchronous channel undecidedi- 
This permission will never again be given as soon as we (at site i) have “deliv- 
ered”, i.e., received the broadcast along bi and subsequently have decided. 

When halting a coordinator, we do not just let it become 0 or disappear, 
but use a specific constant to denote the final state. The reason is that we 
can keep accessibly within the term the final information of halted processes 
which would otherwise disappear as well. 

Data Structures. The parameter LsL is a heterogeneous list of elements in Li 
for Ist-phase messages, L 2 for 2nd-phase messages, and L 3 for 3rd-phase mes- 
sages. By Li , L 2 , L 3 , we denote the various homogeneous sublists of L for the 
corresponding phases. By \L\, we denote the length of a list L. By l::L, we denote 
the addition of element I to L. For each homogeneous type of sublist, we provide 
some more notation. For convenience, we allow ourselves to use component access 
via “logical” names rather than “physical” projections. For example, in all types, 
one component represents a round number. By L” := {IgL \ round(l)=r}, we 
extract all elements of list L that apparently belong to round r. Similarly, the 
function val(l) extracts the value field of list element 1. 

Elements of Li ({l}x/xNxVxN), like Ist-phase messages, consist of a site 
identifier (S/), a round number (gN), an estimate value (gV), and a stamp 
(gN). Let LgL^. By max_s(L) := max{ stamp(?) | ^gL } we extract the max- 
imal stamp occurring in the elements of L. By best(L) := val(min_i{ IgL \ 
stamp(/)=max_s(L) }), we extract among all the elements of L that have the 
highest stamp the one element that is smallest with respect to the site identifier, 
and return the value of it. 

Elements of L 2 ({2}x/xNxV), like 2nd-phase messages, consist of a site 
identifier (gI), a round number (gN), and an estimated value (gV). 

Elements of L 3 ({3}xJxNxB), like 3rd-phase messages, consist of a sender 
site identifier (gI), a round number (gN), and a boolean value (gB). Let IgL 3 . 
By bool(Z), we extract the boolean component of list element 1. 



4 A Global Message-Oriented View: Matrices 

By analysis of Chandra and Toueg’s proofs of the Consensus properties [CT96], 
we observe that they become feasible only if we manage to argue formally and 
globally about the contributions of processes to individual rounds. To this aim, 
we design an alternative representation of the reachable state of Consensus: 
message matrices M. In fact, matrices contains precisely the same information as 
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Table 5. From messages M to matrix entries x . . . and back 



M:=f-i(x) 


M=£:-i(x) 


snd 


rev 


rnd 


£t(M) - X := £t{l) 


tag(x) 


dcrd{r) (^7 ”^7 


(l,i,r,u,s) 


i 


crd(r) 


r 


(i,r) (v,s,t) 


t 


c2i{i,r, v) 


(2,i,r,v) 


crd(r) 


i 


r 


{i,r) A {v,t) 


t 


C3crd(r) (^7 "^7 '^) 


(3,i,r,z) 


i 


crd(r) 


r 


(i,r) A (z,t) 


t 



hi{j,i,m,r,v) j i r (i, j, m) A (r, u, t) t 

decidei{j,i,m,r,v) i — r (i) {j,m,r,v,t) t 



terms: we can freely move between the two representations via formal mappings: 

Ml I using £t() 

A^Il using £-!() 

It is for this tight connection that we augmented the definition of Consensus in 
Table 4 with book-keeping data, never forgetting any message ever received. 

A4| ].• From Networks to Matrices. With any state reachable starting from Con- 
sensus, we associate a matrix structure containing all the asynchronous messages 
that have been sent “up to now” , organized according to the round in which they 
were sent. For the 1st-, 2nd-, and 3rd-phase messages, the resulting structure 
is a specific kind of two-dimensional matrix (see column six of Table 5): one 
dimension for process ids (variable i ranging from 1 to n), one dimension for 
round numbers (variable r ranging unboundedly over natural numbers starting 
at 1). For broadcast- and decision- messages, which may only eventually occur 
for a single round per process, the format is slightly different. 

For each message, we distinguish three transmission states: 

— being sent, but not yet having left the sender site (y^ 

— being in transit, i.e., having left the sender site, but not yet arrived (y//) 

— being received, i.e., appearing in the list L {y^) 

We usually let t range over the elements of the ordered set 

d-entries, aka: decision messages, there is no receiver and thus always t yf . 

Networks can be mapped into matrices because our process representation 
memorizes the required information on past messages {y/JJ) in the state param- 
eters L; messages that are sent and not yet received {y/, can be analyzed 
“directly” from the respective system state component. Table 5 lists the vari- 
ous entry types of matrices, and how they correspond to the formats found in 
networks, namely messages M and list entries l€L. For better orientation, we 
include columns snd and rev that indicate the respective sender and receiver. 

We may view a matrix 9Jt as the heterogeneous superposition of five homo- 
geneous parts. Each part can be regarded either as a set of elements 971. x as in 
column six of Table 5, or as a function according to the domain of x, ranging 
over {971.1”, 971.2”, 971.3”, 971. b(^, 971. dj}; we use T and T to denote defined and 
undefined images. Matrix update 97l|x := w} is overriding. 
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Table 6. Example matrix 



Rounds 
Number Phase 


1 


2 


Processe 

3 


s 

4 


5 


1 


(vi.ov) 


iv2,0,v(/) 






(”3,0,OJ) 


1 2 


(«3,V) 




{”3,0) 


(”3,OJ) 


3 






(f,0/) 


(t,0) 


1 


CsAM) 


— 


{V3,0,^) 


(V4,0,0 


(”3,i,0) 


2 2 










3 






(f,0 


(f,0) 


1 








(”4,0,0/) 


(”3,^,0/) 


3 2 


MNNFT 


Ca.V) 


(”3,0) 


(”3,\0) 


3 






U ,OJ) 


u,o/) 


1 






('>’3,3,0 


(”4,0,OJ) 


(”3,i,0) 


4 2 










3 






(f,V) 





Matrix Semantics. The initial matrix of Consensus is denoted by 

£onsensu0(t,j..,„^) := M\ Consensus(^y^„^y^) ] = 0{ Vz : := {vi, 0, } 

In order to simulate the behavior of networks at the level of matrices, we propose 
an operational semantics that manipulates matrices precisely mimicking the be- 
havior of their corresponding networks. As with networks, the rules in Tables 2 
and 3, where networks and their transitions are replaced by matrices and their 
(equally labeled) transitions, allow us to completely separate the treatment of 
behavior in the context of crashes from the description of the behavior of mes- 
sages in the matrix. The rules are given in the full paper. Here, we just look 
at an example of a matrix for rz = 5 (Table 6) that is reachable by using the 
matrix semantics. For instance, to be a valid matrix, coordinators can only have 
proceeded to the next round if they received a majority— 1 of 3rd-phase 

messages; c.f. the coordinators of rounds 1 and 3. Also, participants proceed with 
the value of the previous round if they nack (f), or with the proposed value of 
the previous coordinator if they ack (t); c.f. process 5 in its rounds 2 and 4. 

Some transitions that are enabled from within the example matrix are: mes- 
sages with tag may be released to the network and get tag process 4 may 
receive Ist-phase messages from process 5, from either round 2 or 4. Many other 
requirements like these are represented by the 12 rules of the matrix semantics. 

A/”| ].• From Matrices to Networks. We only note here that the presence of all 
previously sent messages, distinguishing all their transmission states, allows us to 
uniquely reconstruct the term counterpart, i.e., for every site i we may uniquely 
determine its phase phSj(®l):=Yi G { Pl^, P2j, P3^, P4i, R^, } with accompany- 

ing parameters r:= rndi(OJl), u, s, L and its decision state deCi(9Jt) G { D^, 0 }. 

The matrix semantics mimics the network semantics very closely. 

Proposition 1 (Operational Correspondence). Let Consensus’^ — >* N. 

1. IfN thenMlNj -^7W|W]. 
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2. If MIN j thenN -^„(4 AT|9Jl]. 

Normalized network runs can then straightforwardly be translated step-by- 
step into matrix runs using | ] , and vice versa using A/”| ] . If a network run 
is infinite, then its corresponding matrix run is infinite as well. Or, conversely, 
if a corresponding matrix run is finite, then the original network run must have 
been finite as well. Furthermore, since we produce system runs - where the 
distributed algorithm is embedded into our failure-sensitive environments - with 
either networks or matrices, the correspondence carries over also to the system 
level. Therefore, we may use the matrix semantics instead of the original network 
semantics to reason about the Consensus algorithm and its properties. 

5 Properties of the Algorithm: Consensus 

In this section, we prove the three required Consensus properties - validity, 
agreement, and termination - using the matrix structures. As the graphical 
sketches in Table 7 show, we heavily exploit the fact that the matrix abstraction 
allows us to analyze message patterns that have been sent in the past. We do 
not need to know precisely in which order all the messages have been sent, but 
we do need to have some information about the order in which they cannot have 
been sent. Our formal matrix semantics provides us with precisely this kind of 
information. 

We conclude this section by transferring the results back to networks. 

Validity. From the definition, every decided value has initially been proposed. 

Proposition 2 (Validity). Let ConsensuS(„j.,_„„) — >* ®l. 

If 9Jt.dj = {j, TO, r, V, t), then there is k € { 1.., n } with v = Vk- 

Agreement. We call vaF(9Jt) the value that the coordinator of round r in 971 
tried to impose in its second phase; it may be undefined. In the Introduction, 
we said that a value gets locked as soon as enough processes have, in the same 
round, positively acknowledged to the coordinator of this round. This condition 
translates into matrix terminology, as follows: 

Definition 2. A value v is called locked for round r in matrix 
written TlfAv, if ff{j \ Tl.3j = (t, •) } > 1. 

Note the convenience of the matrix abstraction to access the messages that were 
sent in the past, without having to look at the run leading to the current state. 
Now, if 971 1 — u then v = var(97l). Also, broadcast is always for a locked value. 

Lemma 2. //97l.b™ = (r, v, •), then Tlff-v. 



Lemma 3. // 971 lA vi and 971 A- V 2 , then vi = W 2 - 



The key idea is to compare lockings in two different rounds. 
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Table 7. Matrix proofs 



permutation of {l..n} 




(I) Pre-Agreement 



crd(r) e n 











j 




i 




m. 






t] 


J 
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max_rnd 














k 


















r 










£ 


-• 






















r+n 








r 








r+n+1 







□ 


i 











(II) I?-Finiteness 



permutation of {l..n} 

Tl I C 




(III) Termination 



Proposition 3 (Pre- Agreement). and V 2 , then vi = V 2 - 

Note that both lockings have already happened in the past of tXft. 

Proof (Sketch). Suppose that n, so n = var(®l). We prove by course-of- 

value induction that for all f > r, if f), then v = v. 

First, in both rounds r and f, a majority is responsible for the locking. 
In Table 7(1), we make explicit (by permutation) that there is a process p that 
belongs to both majorities. Then, let h be the process that won the first phase of 
round r in that crd(f) chose /I’s estimate as its round-proposal. Using the matrix 
semantics, we identify the rounds Sp and Sh, in which p and h acknowledged the 
estimate that they still believe in at round f . By a number of of auxiliary lemmas 
on matrices we conclude that r<Sp<Sh<f- 

Now, if r=f, then trivially var($H) = var(91l) (Lemma 3). 

If f>r then, by induction, we have vaF(9Jt) = vaF'*(9Jl), and since h preserves 
the value it adopted in Sh until it reaches f, where it “wins”, also vaF'‘(9Jt) = 
V = var(9H), we conclude var(9Jt) = var(OJt). □ 



Theorem 1 (Agreement). //9Jt.dj = andtXft.dj = (•,•,•, Wj, •), then 

Vi = Vj . 

Proof (Sketch). If OJt.dj = {ki,mi,ri,Vi, ■), then by the only matrix rule to 
generate d^-entries there must (have) be(en) with dJl.hd' = (ri,Vi,-). Anal- 
ogously for j: if 911. dj = {kj,mj,rj,Vj, ■), there must (have) be(en) rj with 

= {rj,j , •). By Lemma 2, both 971 A- and 97t A Vj. By Proposition 3, 
we conclude Vi = Vj. □ 
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Termination. In an infinite run, every round is reached. 

Lemma 4 (Infinity). Let R denote an infinite system run 0 / Consensus. 

Then, for all r > 0, there is a prefix of R of the form 

(0, 0) h Consensus — >* rhOJt 

where = T for some i. 

Proof (Sketch). By combinatorics on the number of steps per round. □ 

Theorem 2 (12-Finiteness). All {2-runs 0 / Consensus are finite. 

Proof (Sketch). Assume, by contradiction, to have an infinite 17-run. The bold 
line dJl in Table 7(11), marks the global state at instant t, when process i becomes 
G Tl. Call max-rnd the greatest round at time t, and r > max^rnd the first 
round in which i = crd(r). Since the run is infinite, with Lemma 4 there is 
a time t > t, where we reach state 371, where round r-|-n-|-l is populated by 
some j. Since i G Tl, j can reach r-|-n-|-l only by positively acknowledging i 
in round r-|-n. So i was in r-|-n, therefore also in r. Since i was in r and has 
gone further, it has been suspected. But here we get a contradiction because 
in round r already i G Tl and no process was allowed to suspect it, while the 
matrix 371 evolved into 371. So, no 17-run can be infinite. □ 



Theorem 3 (Termination). All f2-runs 0 / Consensus are of the form 

(0, 0) h Consensus — >■* (Tl, C)h37t 

with Tl l±l C = { 1.., n } and i G Tl 0 implies that 371. dj = T. 

Proof (Sketch). We first show that if there was f G Tl with 371. dj = _L, then 
actually 371. d^ = _L for all j G Tl. Since 37t -jA, we may thus call all processes in j G 
Tl as being in deadlock. Then, we proceed by contradiction. We concentrate on 
the non-empty set Min C Tl of processes in the currently minimal round. The 
contradiction arises, as in Table 7(III), by using the matrix semantics to show 
that Min must be empty, otherwise contradicting that 371 y^. □ 

Back to the Process Calculus. With Table 5, we observe that the definedness of an 
entry 371. dj = T corresponds to a message decidei{- ■ ■) having been sent. There- 
fore, and with the operational correspondence (Proposition 1), which closely 
resembles strong bisimulation, all the previous results carry over to networks. 
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Abstract. A linear forwarder is a process which receives one message 
on a channel and sends it on a different channel. Such a process allows 
for a simple implementation of the asynchronous pi calculus, by means 
of a direct encoding of the pi calculus’ input capability (that is, where a 
received name is used as the subject of subsequent input). This encoding 
is fully abstract with respect to barbed congruence. 

Linear forwarders are actually the basic mechanism of an earlier im- 
plementation of the pi calculus called the fusion machine. We modify 
the fusion machine, replacing fusions by forwarders. The result is more 
robust in the presence of failures, and more fundamental. 



1 Introduction 

Distributed interaction has become a necessary part of modern programming 
languages. We regard the asynchronous pi calculus as a basis for such a language. 
In the pi calculus, a program (or process) has a collection of channels, and it runs 
through interaction over these channels. A possible distributed implementation 
is to let each channel belong to a single location. For instance, there is one 
location for the channels u,v,w and another for x,y,z, and the input resource 
u{a).P goes in the first location. If an output ux should arise anywhere else in 
the system, it knows where it can find a matching input. This basic scheme is 
used in the join calculus [7], in the ttu calculus [3], and in the fusion machine [8]. 
(A different approach is taken in Dtt [2], in nomadic pict [19], and in the ambient 
calculus [6], where agent migration is used for remote interaction.) 

We immediately face the problem of input capability, which is the ability 
in the pi calculus to receive a channel name and subsequently accept input on it. 
Consider the example x{u).u{v).Q. This program is located at (the location of) 
X, but upon reaction with xw it produces the continuation w{v).Q{^ /u\ - and 
this continuation is still at x, whereas it should actually be at w. Solving the 
problem of input capability is the key challenge in distributing the pi calculus. 

The point of this paper is to solve the problem of input capability with a 
language that is “just right” - it neither disallows more features than necessary 
(as does the join calculus), nor adds more implementation work than is necessary 
(as does the fusion machine). One measure of our solution is that we obtain full 
abstraction with the asynchronous pi calculus, up to weak barbed congruence. 
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First of all, let us consider in more detail the other solutions to input capa- 
bility. The join calculus and localised pi calculus [13] simply disallow it: that is, 
in a term x{u).P, the P may not contain any inputs on channel u. The problem 
now is how to encode input capability into such a localised calculus. An encoding 
is possible, but awkward: when the term x{u).u{v).Q | xw is encoded and then 
performs the reaction, it does not perform the substitution {^/m}, but rather 
encodes this substitution as a persistent forwarder between w and u. Next, a fire- 
wall is needed to protect the protocol used by these forwarders. (The forwarder 
is called a “merged proxy pair” in the join calculus). 

The fusion machine instead implements input capability through the runtime 
migration of code. In our example, w(y).Q{^ /u\ would migrate from x over to 
w after the interaction. The migration is costly however when the continuation 
Q is large. In addition, code migration requires an elaborate infrastructure. To 
mitigate this, a large amount of the work on the fusion machine involved an 
encoding of arbitrary programs into solos programs (ones which have only sim- 
ple continuations) without incurring a performance penalty. But the encoding 
used fusions, implemented through persistent trees of forwarders, which seem 
awkward and fragile in the presence of failures. 

The solution presented in this paper is to disallow general input capability, 
and to introduce instead a limited form of input, the linear forwarder. A linear 
forwarder x—°y is a process which allows just one x to be turned into a y. The 
essential point is that this limited form can be used to easily encode general 
input capability. For example, consider the pi calculus term x{u).u{v).Q. We 
will encode it as 



x{u).{u'){u—ou' I u'{v).Q') 

where the input u{v) has been turned into a local input u' {v) at the same location 
as X, and where the forwarder allows one output on u to interact with u' instead. 
The encoding has the property that if the forwarder u—°u' exists, then there is 
guaranteed to be an available input on u' . We remark that linearity is crucial: 
if the forwarder persisted, then the guarantee would be broken; any further u 
turned into u' would become inert since there are no other inputs on u' . 

One might think of a linear forwarder x— as the pi calculus agent x(u).yu 
located at x. This agent would be suitable for a point-to-point network such as 
the Internet. But we have actually turned forwarders into first-class operators in 
order to abstract away from any particular implementation. This is because other 
kinds of networks benefit from different implementations of linear forwarders. In 
a broadcast network, x—oy might be located at y; whenever it hears an offer of x u 
being broadcast, the machine at y can take up the offer. Another possibility is to 
use a shared tuple-space such as Linda [9], and ignore all linearity information. 
(The fusion machine also amounts to a shared state which ignores linearity). 

In this paper we show how to encode the pi calculus into a linear forwarder 
calculus. Conversely, we also show how linear forwarders can be encoded into 
the pi calculus. We therefore obtain full abstraction with respect to barbed 
congruence. 
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We also describe a linear forwarder machine. It is a simplified form of our 
earlier fusion machine, and more robust with respect to failures. This machine 
gives an implementation of distributed rendezvous which can be performed lo- 
cally. In this respect it is different from Facile [10], which assumes a three-party 
handshake. This handshake is a protocol for interaction, and so prevents full 
abstraction. We prove full abstraction between the machine and the linear for- 
warder calculus, with respect to barbed congruence. 

Related Work. Forwarders have already been studied in detail by the pi com- 
munity. Much work centres around the ttI calculus [17] - a variant of the pi 
calculus in which only private names may be emitted, as in (x)ux. Boreale uses 
forwarders to encode the emission of free names [4]: the reaction u(a).Q | ux 
does not perform the substitution {®/a}, but instead encodes it as a persistent 
forwarder between a and x. The same technique is used by Merro and San- 
giorgi [13] in proofs about the localised pi calculus; and both are inspired by 
Honda’s equators [11], which are bidirectional forwarders. Something similar is 
also used by Abadi and Fournet [1] . When channels are used linearly, Kobayashi 
et al. [12] show that a linear forwarder can simulate a substitution. 

We remark upon some differences. If substitutions are encoded as persistent 
forwarders, then the ongoing execution of a program will create steadily more 
forwarders. In contrast, we perform substitution directly, and in our setting 
the number of forwarders decreases with execution. More fundamentally, the ttI 
calculus uses forwarders to effect the substitution of data, and they must be 
persistent (nonlinear) since the data might be used arbitrarily many times by 
contexts. We use forwarders to effect the input capability of code, and this is 
linear because a given piece of source code contains only finitely many input 
commands. Our proofs are similar in structure to those of Boreale, but are much 
simpler due to linearity. 

Structure. The structure of this paper is as follows. Section 2 gives the linear 
forwarder calculus, and shows how to encode the pi calculus (with its input mo- 
bility) into this calculus. Section 3 gives bisimulations for the linear forwarder 
calculus, and Section 4 proves full abstraction of the pi calculus encoding. Sec- 
tion 5 describes a distributed abstract machine for implementing the linear for- 
warder calculus, and Section 6 proves full abstraction for this implementation. 
We outline future developments in Section 7. 

2 The Linear Forwarder Calculus 

We assume an infinite set Af of names ranged over by u,v,x, . . .. Names rep- 
resent communication channels, which are also the values being transmitted in 
communications. We write x for a (possibly empty) finite sequence xi • ■ ■ Xn of 
names. Name substitutions {V /x} are as usual. 

Definition 1 (Linear forwarder calculus). Terms are given by 

P ::= 0 I xy I x{y).P I {x)P I P\P I !P I x^y 
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Structural congruence = is the smallest equivalence relation satisfying the fol- 
lowing and closed with respect to contexts and alpha-renaming: 

P\Q = P P\Q = Q\P P\{Q\R) = {P\Q)\R \P = P\\P 
{x){y)P ={y){x)P {x){P\Q) = P \ {x)Q ifx^fnP 

Reaction is the smallest equivalence satisfying the following and closed under =, 
{x)- and _ I 

u{x).P I uy — >■ P{y/x} XU I x^y — >■ yu 



The operators in the syntax are all standard apart from the linear forwarder 
x—°y. This allows one output on x to be transformed into one on y, through 
the second reaction rule. In the output xy and the input x{y).P, the name x 
is called the subject and the names y are the objects. In the restriction {x)P, 
the name x is said to be bound. Similarly, in x(jy).P, the names y are bound in 
P. The free names in P, denoted fn(P), are the names in P with a non-bound 
occurrence. We write {x\ ■ ■ ■ Xn)P for (xi) • • • {xn)P. 

Next we make a localised sub-calculus, by adding the no -input- capability con- 
straint. It is standard from the ttl calculus [13] and the join calculus that such 
a constraint makes a calculus amenable to distributed implementation. 

Definition 2 (Localised calculus). The localised linear forwarder calculus, 
which we abbreviate L£, is the sub-calculus of the linear forwarder calculus which 
satisfies the no-input-capability constraint: in x(u).P, the P has no free oecur- 
rence of u as the subject of an input. 

We remark that the no-input-capability constraint is preserved by structural 
congruence and by reaction. 

The asynchronous pi calculus [5] is a sub-calculus of the linear forwarder 
calculus, obtained by dropping linear forwarders. We give an encoding of the 
asynchronous pi calculus into the localised linear forwarder calculus L£, showing 
that the input capability can be expressed using forwarders and local inputs. 
Henceforth, when we refer to the pi calculus, we mean the asynchronous pi 
calculus. 

Definition 3 (Encoding pi). The encoding |-] maps terms in the pi calculus 
into terms in the L£ calculus as follows. (In the input and restriction cases, 
assume that the bound names do not clash with u.) Define |P] = |H] 0 , where 

_ \x{y).{P\uv ifx^u 

I u[{y).lPluy) ifx = Ui,Ui G u 

= ix)mu) 

= IPh I IQk 
= mu 

= xy 

= 0 



lx{y).P\u 

lP\Qh 

mu 

Ixyju 

fok 




Linear Forwarders 



419 



To understand the encoding, note that we use “primed” names to denote local 
copies of names. So the encoding of x(u).u(y).P will use a new channel u' and a 
process u'{y).P, both at the same location as x. It will also create exactly one 
forwarder u—°u', from the argument passed at runtime to u' . Meanwhile, any 
output use of u is left unchanged. 

To illustrate the connection between the reactions of a pi term and of its 
translation, we consider the pi calculus reduction uy \ u{x).P — >■ P{V/x}. By 
translating we obtain: 

luy\u{x).P\u = uy\{u'){u^u'\u'{x).lP\^u) 
{u'){u'y\u'{x).lP}:^u) 

— >■ {u'){\p\xu{y / x}) 

= lP\xu{y/x} 

Note that the final state of the translated term is subscripted on x and u, not 
just on u. In effect, the translated term ends up with some garbage that was 
not present in the original. Because of this garbage, it is not in general true that 
Q ^ Q' implies [Q] — >■* |<5'|; instead we must work up to some behavioural 
congruence. The following section deals with barbed congruence. 

We remark that linearity is crucial in the translation. For instance, consider 
a non-linear translation where forwarders are replicated: 

|u(a;).P]ti = {u'){\u^u' \ u'{y).P) 

Then consider the example 

luQ.P I uQ.Q I u I uju = {u'){\u^u I u'Q.P) \ {u'){\u^u' \ u'Q.Q) \u\u 
^ {u'){P I \u^u') I {u"){\u^u" I u"{).Q) I u 
^ (u')(P I u' I lu^u') I {u"){lu^u" I u''0-Q) 

Here, both outputs were forwarded to the local name u' , even though the resource 
u'Q.P had already been used up by the first one. This precludes the second one 
from reacting with Q - a, reaction that would have been possible in the original 
pi calculus term. We need linearity to prevent the possibility of such dead ends. 

3 Bisimulation and Congruence 

We use barbed congruence [15] as our semantics for the L£ calculus. 

Definition 4 (Barbed congruence). The observation relation P u is the 
smallest relation generated by 

ux I u P\Q I u if P I u or Q I u 

{x)Pfu ifPfuandu^x \P fu if P f u 

We write JJ. for — >-*4, and for — >■*. A symmetric relation TZ is a weak barbed 
bisimulation if whenever P TZ Q then 
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1. P JJ. M implies Q ij- u 

2. P ^ P' implies Q ^ Q' such that P' TZ Q' 

Let « he the largest weak barbed bisimulation. Two terms P and Q are weak 
barbed congruent in the L£ calculus when, for every C, then C[P] « C[Q], 
where C[P] and C[Q] are assumed to be terms in the Li calculus. Let « be the 
least relation that relates all congruent terms. 



We remark that barbed bisimulation « is defined for the linear forwarder cal- 
culus. However, the weak barbed congruence « is predicated upon the Li sub- 
calculus. Similar definitions may be given for the pi calculus, and, with abuse of 
notation, we keep « and « denoting the corresponding semantic relations. 

As an example of « congruent terms in the Li calculus, we remark that 

u{x).P « u{x').{x){\x—ox' I \x'—ox I P). (1) 

This is a straightforward variant of a standard result for equators [14], and we 
use it in Lemma 9. 

Our overall goal is to prove that the encoding |-] preserves the « congruence. 
The issue, as described near the end of the previous section, is that an encoded 
term may leave behind garbage. To show that it is indeed garbage, we must prove 
that |P]„ and |P]«s are congruent. But the barbed semantics offer too weak an 
induction hypothesis for this proof. A standard alternative technique (used for 
example by Boreale [4]) is to use barbed semantics as the primary definition, but 
then to use in the proofs a labelled transition semantics and its corresponding 
bisimulation ~ which is stronger than barbed congruence. The remainder of this 
section is devoted to the labelled semantics. 



Definition 5 (Labelled semantics). The labels, ranged over by n, are the 

standard labels for interaction — input and possibly-bound output 
where z Cx. The bound names bn(/i) of these input and output labels are x and 
z respectively. 



i{x).P 



P 



^ U X ^ 

U X > 0 



u{x) _ ^ 

u^v —~4 V X 



p 



P' y^^i 



{y)P ^ (j/)P' 



P|!P 



P' 



IP 



P' 

{z)uy 



P p' y ^ y G x\z 



p 



P' bn(^) n fn((5) = 0 



P\Q^P'\Q 
P P' g ^ g' zUfn{Q) = 0 



pjg ^ {z){P'\Q'{y/x}) 

The transitions o/P|g have mirror cases, which we have omitted. We implicitly 



identify terms up to alpha-renaming =„.• that is, if P = q ,— ^ P' then P 



P'. 



We write 



for ^ 
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A symmetric relation TZ is a weak labelled bisimulation if whenever P TZ Q 
then P P' implies Q Q' . Let be the largest labelled bisimulation. 

This definition is given for terms in the full linear forwarder calculus. It is a 
standard result that is a congruence with respect to contexts in the full 
calculus, and hence also with respect to contexts in the L£ calculus and the pi 
calculus. The connection between labelled and barbed semantics is also standard: 



Lemma 6. In the L£ calculus, 

1. P ^ P' iffP AL^=P'. 

2. PfuiffP^'^P'. 

3. C «. 



The bisimulation allows for some congruence properties to be proved 
trivially: (the first will be used in Proposition 10) 

u^v K.(, u(x).vx (u')(u^u' I u'{x).vx). (2) 

u{x).P {u'){u—ou' I u'{x).P). 

4 Full Abstraction for the Pi Calculus Encoding 

The L£ calculus is fully abstract with respect to the pi calculus encoding: P k, Q 
in pi if and only if |P] « [Q] in L£. Informally, this is because the pi calculus 
input capability can be encoded with linear forwarders (as in Definition 3); 
and conversely a linear forwarder x—°y can be encoded as the pi calculus term 
x{u).yu. This section builds up to a formal proof of the result. 

The structure of the proof follows that of Boreale ([4], Definition 2.5 to 
Proposition 3.6). However, the proofs are significantly easier in our setting. We 
begin with a basic lemma about the encoding |-]. 

Lemma 7. In the linear forwarder calculus, 

1. [PU. 

2. iPh{y/x} {p{y/x}h- 

3- lPh{y/^} {u'){u'y\ u'{x).lPj^s). 

Proof. The first two are trivial inductions on P. The last one follows directly. □ 

We draw attention to the first part of Lemma 7. This is an important simpli- 
fying tool. It means that, even though the encoding lu{x).P}u = {u'){u' —ou \ 
u'{x).lPjux) involves progressively more subscripts, they can be ignored up to 
behavioural equivalence. Thus, although a context C might receive names x in 
input, we can ignore this fact: (^[IP]^] (^[I-P]] in the linear forwarder cal- 

culus. (Notice that, given a localised term (^[IP]^] , it is not necessary the case 
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that C[|P]] is also localised; hence the result does not carry over to which is 
only defined for L^ contexts). Part 1 does not hold for Boreale, and so his equiva- 
lent of Part 3 uses a significantly longer (5-page) alternative proof. The essential 
difference is that Boreale produces forwarders upon reaction; we consume them. 

Note that this section has even simpler proofs, using the property P |P] 
which is deduced directly from Lemma 7 and the definition of |-]. However, 
this property relates terms from two different sub-calculi of the linear forward 
calculus, which some readers found inelegant - so we have avoided it. 

The following proposition is equivalent to Boreale’s Propositions 3. 5-3. 6: 

Proposition 8. For P, Q in the pi calculus, P ~ Q if and only if |P] « |Q] . 

We will also need the following lemma. It generalises Lemma 7.1 to apply to 
barbed congruence rather than just labelled bisimulation. Effectively, it implies 
that a non-localised context can be transformed into a localised one. 

Lemma 9. For P, Q in the pi calculus, |P] « |Q] implies |P]y « \Q\z- 

Proof From Lemma 7.1 we get |P]j |P] « [Q] |<3]?. The result follows 

by Lemma 6.3 and the transitivity of «. (We thank an anonymous reviewer for 
this simpler proof.) □ 

We are now ready to establish full abstraction for the encoding of the pi 
calculus into the L£ calculus. 

Theorem 10 (Full abstraction). For P,Q in the pi calculus, P ~ Q if and 
only if |P] « IQ] in the L£ calculus. 

Proof We show that (1) P 9^ Q implies |P] 76 |Q] and (2) |P| 96 |Q| implies 
P ^ Q. We write and to range over contexts such that Ct^[P],Ct^[Q] are 
terms in the pi calculus, and Cht [[P]] , Cli [|Q|] are terms in the Lt calculus. 

To establish (1), extend the translation I-] to contexts in the obvious way. 
Since the translation I-] is compositional, we get |C'[P]| = |C| [|P|?] and 
|C'[Q]] = IG] [|Q|?] for some z determined by C. Next, we reason by con- 
tradiction: we prove that P ^ Q and |P| « |Q] is false. Assuming P ^ Q, there 
exists a context C^[] such that Ct^[P] ^ Ct^[Q]. By |P] « |Q| and Lemma 9, 
we also have |P]jr « IQ]?. Therefore, in particular IC^lIlP]?] « [Ctt] [IQ]?] 
and, by the above equalities, IC^ri^*]] ~ [C7r[Q]]. By Proposition 8, this latter 
bisimulation contradicts Ct^IP] 76 C^riQ]- 

To establish (2), we show that pi contexts are as expressive as linear forwarder 
contexts, by exhibiting a pi implementation of linear forwarders. To this end, 
we define'^, which translates x—°y into x(u).yu and leaves all else unchanged. 
Similarly to (1), we prove that |P] 76 |Q| and P ~ Q are contradictory. We 

are given a context CrtW such that Cl£[|P]] 9^ C'«[|Q|]- Consider the agent 
|C'l^[P]|, which by definition is equal to ICl^IIIPJ^] for some z. By Lemma 7 
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this is «£-bisimilar to \Cli\ [|-Pl] • Now we consider the double translation |p]; it 
will convert each forwarder u-^v into either u{x).vx or {u'){u—ou' \ u'(x).vx). 
Thanks to Equation 2, |Cl^][|P]] C'if[|P]]. And, with similar reasoning, 

the same holds for Q. The proof follows from these results. From the assumption 
that P « Q we get C^[P] « Cl^]- By Proposition 8, |C'l^[P]] 

Now we focus on P. |Cl4-P]] = [C'lJ [I^k] (by definition of I-]); {CLej [|Pl] 
(by Lemma 7.1); (by Equation 2). Doing the same to Q, we obtain 

C«[[-Pl] ~ contradicting |P] ^ |Q] and so proving the result. □ 

5 A Linear Forwarder Machine 

In this section we develop a distributed machine for the L£ calculus, suitable for a 
point-to-point network such as the Internet. This machine is actually very similar 
to the fusion machine [8], but with linear forwarders instead of fusions (trees of 
persistent forwarders). We first give a diagrammatic overview of the machine. 
Then we provide a formal syntax, and prove full abstraction with respect to 
barbed congruence. 

We assume a set of locations. Each channel belongs to a particular location. 
For instance, channels u, v, w might belong to £i and x, yto £2 - The structure of a 
channel name u might actually be the pair (IP:TCP), giving the IP number and 
port number of a channel-manager service on the Internet. Every input process 
is at the location of its subject channel. Output processes may be anywhere. For 
example. 



tl'.UVW 

u{x).(x')(x^x' I x'(z).P) 



£2'.xy 
uy I yw 



In a point-to-point network such as the Internet, the output message uy would 
be sent to u to react; in a broadcast network such as wireless or ethernet, the 
offer of output would be broadcast and then £x would accept the offer. In both 
cases, the result is a reaction and a substitution {V/x} as follows: 



£\\uvw x' 



y^x' I x'{z).P{V /x} 



tr.xy 



yw 



The overall effect of the linear forwarder y—ox' will be to turn the y w into x 'w. 
In a point-to-point network this can be implemented by migrating the y—°x' to 
£ 2 , there to push the yw to x' , as shown below. (In the following diagrams, some 
steps are shown as heating transitions these steps were abstracted away in 
the Li calculus). 



li'.uvw x' 
x'{z).P{y /x} 



t2-xy 

y^x' I yw 
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il'.UVW x' 
x'{z).p{y /x} 



il'.UVW x' 



x'w I x'{z).P{y/x} 



il'.UVW x' 
p{y /x}{^ / z} 



i 2 '.xy 




In a broadcast network, the linear forwarder y—ox' would instead stay at i\', 
later, when the offer of y a is broadcast, the linear forwarder can grab the offer. 

We remark that the above machine basically avoids code migration: after an 
input, the continuation remains in the same place (with the minor exception 
that forwarders x—°x' and outputs xy may migrate, which is easy to imple- 
ment). Because code does not migrate, there is no need for a run-anywhere 
infrastructure such as Java, and it is possible to compile into CPU-specific ma- 
chine code. 

Distributed Choice. A well-known operator in process calculi is the input- 
guarded choice x{u).P + y{v).Q. In the case where x and y are at separate 
locations, the choice is awkward to implement, but we can compile it into an 
(easily implementable) localised choice as follows: 

{x{u).P + y{v).Qj = {x'y'){x^x' \y^y' 

I x'{u).{p I y'^y) + y'(v).{Q \ x'^x) ) 

To understand this encoding, note that the new names x' and y' will be created at 
the same location, and so the choice between x' and y' will a local one. Next, xv 
may be forwarded to x' , or y u to y' , or both. If the reaction with x' is taken, this 
yields y'^y to “undo” the effect of the forwarder that was not taken. (It undoes 
it up to weak barbed congruence, in the sense that {y'){y—°y' \ y'—°y) « 0.) 
Note that even if the location of x should fail, then the y option remains open, 
and vice versa. 

Failure. We briefly comment on the failure model for the linear forwarder ma- 
chine. It is basically the same as failure in the join calculus: either a message 
can be lost, or an entire location can fail. If a linear forwarder x— °y should fail, 
the effect is the same as if a single future message xu should fail. A command 
‘iffail(u) then P’ might be added to determine if rt’s location is unresponsive. 
The current theory was largely prompted by criticisms of the fragility of our 
earlier fusion machine. 
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5.1 The Machine Calculus 

Definition 11 (Linear forwarder machine). Localised linear forwarder ma- 
chines M are given by the following grammar, where P ranges over terms in the 
L£ calculus (Definition 2): 

M ::= 0 I x[P] \ (xl)[P] | M,M 

The presentation here is similar to that given for the fusion machine [8]. The 
basic channel-manager x[P] denotes a channel-manager at channel x containing 
a body P. The local channel-manager denotes a channel-manager where 

the name x is not visible outside the machine. We write chan M to denote the 
set of names of all channel-managers in the machine, and Lchan M for the names 
of only the local channel-managers. 

We assume a co-location equivalence relation L on channels. We write x@y 
to mean that {x, y) G L, with the intended meaning that the two channels 
are at the same location. It is always possible to create a fresh channel at an 
existing location: therefore let each equivalence class in L be infinitely large. In 
the machine calculus, we generally assume L rather than writing it explicitly. 
There are a number of well-formedness conditions on machines: 

(1) Localised. All code is in the right place, and does not need to be moved at 
runtime. Formally, in every channel u[P], every free input v(x).Q satisfies u@v. 
(Also, no received name is used as the subject of input; this already holds from 
the L£ calculus). 

(2) Singly-defined. There is exactly one channel-manager per channel. For- 
mally, a machine Xi [Pi] , • • • ,Xn [Bn] is singly-defined when i ^ j implies Xi yf Xj 
(xi or Xj may be local). 

(3) Complete. It does not make sense to write a program that refers to chan- 
nels which do not exist. We say that a machine is complete when it has no such 
references. Formally, the free names of a machine must be contained in chan M . 

A machine is well-formed when it is localised, singly-defined and complete. 
In the following, we consider only well- formed machines. 

Definition 12 (Dynamics). The structural congruence for well-formed ma- 
chines = is the smallest equivalence relation satisfying the following laws: 

M ,0 = M Ml, M2 = M2, Ml Ml, (M2, M3) = (Ml, M2), M3 
P = Q implies u[P] = u[Q] and (u])[P] = (m|)[(5] 

The reduction step — >■ and the heating step are the smallest relations satisfy- 
ing the rules below, and closed with respect to structural congruence. Each rule 
addresses generically both free and local channel-managers. 

u(uy \u(x).P \ P\ — >■ u[P{y/x}\B\ (react) 

u[u^v I Fa: I P] — >■ u[vx \ P] (fwd) 



u[{x)P I P] 



u[P{^' /x} I P], (a;'])[], x' fresh, x'@u (dep.new) 
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u[x^y 


^ 1 ], 


x[R2] 


u[Ri], x[x^y 1 R 2 ], 


if u ^ X 


(dep.fwd) 


u\xy 


^ 1 ], 


x[R2] 


u[Ri], x[xy\ R 2 ], 


if u ^ X 


(dep.out) 


u[x{y).P 


^ 1 ], 


x[R2] 


u[Ri], x[x{y).P 1 i? 2 ], 


if u ^ X, u@x 


(dep.in) 



For every transition rule above, we close it under contexts: 

M^M', chan M'n chan A^ = 0 M ^ M' , chan M' n chan iV = 0 
M,N ^ M',N M,N M',N 



We draw attention to two of the rules. The rule (dep.new) picks a fresh channel- 
name x' and this channel is deemed to be at the location where the command was 
executed. The rule (dep.in) will only move an input command from one channel 
u to another channel x, if the two channels are co-located; hence, there is no 
“real” movement. In the current presentation we have used arbitrary replication 
IP, but in a real machine we would instead use guarded replication [18], as is 
used in the fusion machine. All rules preserve well-formedness. 

Definition 13 (Bisimulation). The observation M is the smallest relation 
satisfying u[P] f u if P f u, and Mi, M 2 i u if Mi f u or M 2 u. Write => 
for M IJ. M for M =^>4, u. A weak barbed bisimulation TZ between 

machines is a symmetric relation such that if M S N then 

1. M fy u implies iV JJ. m 

2. M ^ M' implies N ^ N' such that M' TZ N' 

Let « be the largest barbed bisimulation. Two machines Mi and M 2 are weak 
barbed equivalent, written Mi ~ M 2 , when for every machine N, then N,Mi k, 
N, M 2 . (Note that N, Mi and N, M 2 are assumed to be well-formed, so chan ND 
chan Ml = chan N fl chan M 2 = 0.^ 

We will prove correctness using a translation calcM = (LchanM)M from 
machines to terms in the LH. calculus, where 

0 == 0 i4P] = P f^^] = P M^2 = Ml I M2 

One might prefer to prove correctness of a “compiling” translation, which takes 
a term and compiles it into a machine - rather than the reverse translation 
calc. However, different compilers are possible, differing in their policy for which 
location to upload code into. We note that all correct compilers are contained 
in the inverse of calc, so our results are more general. 

The correctness of the forwarder machine relies on the following lemma 

Lemma 14 (Correctness). Mi « M 2 if and only z/ calc Mi « calc M 2 

Proof. It is clear that machine operations are reflected in the calculus: M = M' 
implies calc M = calc M', and M ^ M' implies calc M = calc M' , and M — >■ M' 
implies calc M — >■ calc M', and M fu implies calc M f u. 

The reverse direction is more difficult. We wish to establish that 
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1. calcM I u implies M u, and 

2. calcM — >■ P' implies 3M' : M M' and P' = calcM'. 

Both parts share a similar proof; we focus on part 2. Given the machine 
M, there is also a fully-deployed machine M' such that M M' and M' 
has no heating transitions: that is, all unguarded restrictions have been used to 
create fresh channels, and all outputs and forwarders are at the correct loca- 
tion. Therefee calcM = calcM' — >■ P' . The structure of calcM' has the form 
(Lchan M')M'. The reaction must have come from an output uy and an input 
u{x).P in M' (or from an output and a forwarder). Because M' is fully-deployed, 
it must contain u[uy \ u(x).P]. Therefore it too must allow the corresponding 
reaction. The bisimulation result follows directly from the above. □ 

We now prove full abstraction: that two machines are barbed equivalent if 
and only if their corresponding LH. calculus terms are barbed congruent. There 
is some subtlety here. With the Li calculus, « is closed under restriction, input 
prefix and parallel contexts. With the abstract machine, ~ is only closed un- 
der the partial machine composition: contexts can add new channel managers 
to the machine, but not additional programs to existing ones. We defined ma- 
chine equivalence around this partial closure, because this is the most natural 
equivalence in the machine setting. (It is not surprising that contexts gain no 
additional discriminating power through restriction and input-prefixing, since 
the same holds in the asynchronous pi calculus without matching [14]: P k, Q ii 
and only if R\P « R\Q for every R.) 

It has been suggested that a weaker simulation result would suffice. But we 
believe that full abstraction shows our machine to be a natural implementation of 
the pi calculus, in contrast to Facile and Join. Practically, full abstraction means 
that a program can be debugged purely at source-level rather than machine- level. 

Theorem 15 (Full abstraction). Mi ~ M 2 if and only z/ calc Mi « calc M 2 . 



Proof. The reverse direction is straightforward, because machine contexts are 
essentially parallel compositions. In the forwards direction, it suffices to prove 
i?|calcMi « i?|calcM 2 for every R. By contradiction suppose the contrary: 
namely, there exists an R such that the two are not barbed bisimilar. Expanding 
the definition of calc we obtain that i?|(lchan Mi)Mi 9^ i?|(lchanM2)M2. 

We now show how to construct a machine context M/j such that M/j,Mi 9^ 
Mr, M2, thus demonstrating a contradiction. Without loss of generality, suppose 
that R does not clash with the local names lchan Mi or lchan M2. This gives 
(lchan Mi)(i?|Mi) 96 (lchan M2) (i?|M2). In order to ensure well-formedness of 
Mr, Ml and Mr, M2, let z = chan Mi U chan M2. By Lemma 7 we get |i?]z 
R, and by definition |i?]j contains no inputs on z, so satisfying the localised 
property. Now assume without loss of generality that R contains no top-level 
restrictions. Let Mr = u[R] for a fresh name u such that, for every free input 
Ui{x).R' in R, then Ui@u. Hence lchan M/j = 0 and Mr = |i?]z. This yields 
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calc Ml = (Ichan Mi)(|i?]^|Mi) (Ichan Mi)(i?|Mi), and similarly for 
M 2 . And finally, by construction, both Mr, Mi and Mr, M 2 are singly-defined 
and complete. □ 

6 Further Issues 

The point of this paper is to provide a distributed implementation of the input 
capability of the pi calculus. We have shown that a limited form of input ca- 
pability (linear forwarders) is enough to easily express the full input capability. 
We have expressed this formally through a calculus with linear forwarders, and 
a proof of its full abstraction with respect to the pi calculus encoding. 

The calculus in this paper abstracts away from certain details of implemen- 
tation (such as the choice between a point-to-point or broadcast network) . Nev- 
ertheless, thanks to its localisation property, it remains easy to implement. 

Coupled Bisimulation. There is an interesting subtlety in the encoding of input 
capability. Our first attempt at an encoding gave, for example, 

|m(x).(x().P I a;().Q)] = u{x).{x'){x^x' \ x'Qj.P \ x^x' \ x'Q.Q) 

That is, we tried to reuse the same local name x' for all bound inputs. But 
then, a subsequent reaction x^x' \xz^x'z would be a commitment to react 
with one of x'().P or x'{).Q, while ruling out any other possibilities. This partial 
commitment does not occur in the original pi calculus expression, and so the 
encoding does not even preserve behaviour. An equivalent counterexample in 
the pi calculus is that t.P\t.Q\t.R and t.P\t.{t.Q\t.R) are not weak bisimilar. 
We instead used an encoding which has a fresh channel for each bound input: 

lu{x).{x{).p I a:().(5)] = u{x).{{x'){x^x' \ x'Q.P) \ {x"){x^x" \ x"{).Q) ) 

Now, any reaction with a forwarder is a complete rather than a partial com- 
mitment. In fact, both encodings are valid. The original encoding, although not 
a bisimulation, is still a coupled bisimulation [16]. (Coupled bisimulation is a 
less-strict form of bisimulation that is more appropriate for an implementation, 
introduced for the same reasons as given here.) In this paper we chose the normal 
bisimulation and the repaired encoding, because they are simpler. 

The Join Calculus and Forwarders. We end with some notes on the difference 
between the join calculus [7] and the L^ calculus. The core join calculus is 

P ::= 0 I XU I P\P I def x(m)|j/(v) [> P in (5 

The behaviour of the def resource is, when two outputs x u' and y v' are available, 
then it consumes them to yield a copy P{^ /uv} of P. Note that x and y are 
bound by def, and so input capability is disallowed by syntax. The core join 




Linear Forwarders 



429 



calculus can be translated into the pi calculus (and hence Lt) as follows [7]: 

|0l = 0 {x^ = XU IP\Q] = |P] I IQ] 

|def x{^\y{v) O P in Q| = {xy){ |Q| | !x(m).j/(v).|P] ) 

If a join program is translated into the linear forwarder machine and then exe- 
cuted, then the result has exactly the same runtime behaviour (i.e. same number 
of messages) as the original join program. Additionally, we can provide the same 
distribution of channels through the co-location operator discussed above. 

A reverse translation is more difficult, because of linear forwarders. One might 
try to translate x^y \ R into def x (u) l>yu in |i?| , analogous with the translation 
of a forwarder into the pi calculus that was used in Proposition 10. But the L£ 
calculus allows a received name to be used as the source of a forwarder, as in 
u{x).{x—oy I P), and the same is not possible in the join calculus. Therefore 
contexts in the LH. calculus are strictly more discriminating than contexts in the 
join calculus. (As an example, def x{u) > yu in^x is equivalent to zy in the 
join calculus, but the context z(a).(a—ob | a | -) can distinguish them in the L£ 
calculus.) 
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Abstract. Compositional Reasoning - reducing reasoning about a con- 
current system to reasoning about its individual components - is an es- 
sential tool for managing proof complexity and state explosion in model 
checking. Typically, such reasoning is carried out in an assume-guarantee 
manner: each component guarantees its behavior based on assumptions 
about the behavior of other components. Restrictions imposed on such 
methods to avoid unsoundness usually also result in incompleteness - 
i.e., one is unable to prove certain properties. In this paper, we con- 
struct an abstract framework for reasoning about process composition, 
formulate an assume-guarantee method, and show that it is sound and 
semantically complete. We then show how to instantiate the framework 
for several common notions of process behavior and composition. For 
these notions, the instantiations result in the first methods known to be 
complete for mutually inductive, assume-guarantee reasoning. 



1 Introduction 

A large system is typically structured as a composition of several smaller compo- 
nents that interact with one another. An essential tool for the formal analysis of 
such systems is a compositional reasoning method - one that reduces reasoning 
about the entire system to reasoning about its individual components. This is 
particularly important when applying model checking [10,25] to a concurrent 
composition of interacting, non-deterministic processes, where the full transi- 
tion system can have size exponential in the number of components. This state 
explosion problem is one of the main obstacles to the application of model check- 
ing. Compositional reasoning techniques (see e.g., [12,11]) are particularly useful 
for ameliorating state explosion, since they systematically decompose the model 
checking task into smaller, more tractable sub-tasks. A typical assume-guarantee 
style of reasoning (cf. [9,17,2,6,21,23]), establishes that the composition of pro- 
cesses P\ and P 2 refines the composition of Q\ and Q 2 if P\ composed with 
Q 2 refines Q\, and Q\ composed with P 2 refines Q 2 - Here, Qi and Q 2 act as 
mutually inductive hypotheses. 

* This author’s research is supported in part by NSF grants CCR-009-8141 & ITR- 
CCR-020-5483, and SRC Contract No. 2002-TJ-1026. 
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However, existing methods for compositional reasoning can be hard to apply, 
for a number of reasons. Firstly, they are often bound to a particular syntax for 
describing processes, and particular notions of behavior and composition. Thus, 
it is not clear if a reasoning pattern devised for one such choice also applies to 
another. Another key factor is that several methods are known to be incom- 
plete [23]. The completeness failure can usually be traced back to restrictions 
placed to avoid unsound, semantically circular reasoning with assumptions and 
guarantees. As argued in [11], completeness is an important property for a proof 
method. An incomplete method can be a serious impediment in practice, since 
it can make it impossible to prove that a correct program is correct. Moreover, 
the completeness failures demonstrated in [23] all occur for simple and common 
programming patterns. Lastly, safety and liveness properties are handled differ- 
ently by most methods. For instance, the above method is not sound if both Qi 
and Q 2 include liveness or fairness constraints. It appears that there is a delicate 
balance between adding enough restrictions to avoid unsound circular reasoning, 
while yet allowing enough generality to ensure that the method is complete for 
both safety and liveness properties. 

This paper addresses these problems in the following way. First, we construct 
an abstract, algebraic framework to reason about processes and composition. We 
formulate a mutually inductive, assume-guarantee method that applies to both 
safety and liveness properties, and show that it is sound and complete, all within 
the abstract setting. The framework makes explicit all assumptions needed for 
these proofs, uses as few assumptions as possible, and clarifies the key ideas used 
to show soundness and completeness. Our proof method extends the one given 
above with a soundness check for liveness properties. We show that a simple 
extension of the proof method in [6], which replaces Q\ in the second hypothesis 
with its safety closure, is also complete. The two methods are closely related, 
but we show that ours is more widely applicable. 

We then show how the abstract framework can be concretized in several dif- 
ferent ways, obtaining a sound and complete method for each instantiation. In 
this paper, we discuss interleaving and fully synchronous composition, and no- 
tions of process behavior that include liveness, fairness, branching and closure 
under stuttering. The resulting instantiations are the first mutually inductive, 
assume-guarantee methods known to be semantically complete for general prop- 
erties. That such diverse notions of composition and behavior can be handled in 
a common framework may seem surprising. To a large extent, this is due to the 
key property that, in each case, composition is represented as a conjunction of 
languages (cf. [4,2]). The abstract framework thus provides a clean separation 
between the general axioms needed for soundness and completeness, and the as- 
sumptions needed for their validity in specific contexts. It simplifies and unifies a 
large body of work, and allows one to easily experiment with ~ and prove correct 
- different patterns of compositional reasoning. 

Related Work: Methods for compositional reasoning about concurrent processes 
have been extensively studied for nearly three decades. Assume-guarantee rea- 
soning was introduced by Chandy and Misra [9] and Jones [16] for analyzing 
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safety properties. These methods were extended to some progress properties in 
the following decade (e.g., [24]; the book [11] has a comprehensive historical 
survey). More recently, Abadi and Lamport [2] and McMillan [21] extended the 
methods to temporal liveness properties. However, as shown by Namjoshi and 
Trefler [23], these extensions are not complete, usually for liveness properties of 
simple programs. Building on McMillan’s formulation, they present a complete 
method for model checking of linear time temporal logic properties. 

The methods presented in this paper apply to a process refinement methodol- 
ogy. In this setting, the method of [2] for asynchronous composition is incomplete 
[23]. Our methods are complete for asynchronous composition, both with and 
without closure under stuttering. Alur and Henzinger propose a method in [6] 
for the Reactive Modules language. We show that our new formulation, and a 
slight extension of their method are complete for this setting. Henzinger et. al. 
[15] showed how the same pattern of reasoning applies also to simulation-based 
refinement of Moore machines. Our proof method is different, and applies some- 
what more generally (e.g., to Mealy machines). A major contribution of this 
paper, we believe, is the demonstration that all of these instantiations can be 
obtained from a single abstract pattern of reasoning. There is work by Abadi 
and Plotkin [4], Abadi and Merz [3], Viswanathan and Viswanathan [26], and 
Maier [18] on similar abstract formulations, but none of these result in complete 
methods. For a (non-standard) notion of completeness, Maier [19] shows that 
sound, circular, assume-guarantee rules cannot be complete, and that complete 
rules (in the standard sense) must use auxiliary assertions. 



2 Abstract Compositional Reasoning 

Notation. We use a notation popularized by Dijkstra and Scholten [13]. In the 
term {Qx : r(x) : p(x)), Q is a quantifier, r(x) is the range for variable x, and 
p(x) is the term being operated on. The operator [(/>] (read as “box”) universally 
quantifies over the free variables of </>. Proof steps are linked by a transitive 
connective such as = or => , with an associated hint. For convenience, we move 
freely between set-based and predicate-based notations. For instance, a € S may 
be written as the predicate S(a), and [A B] represents AC B. 

2.1 Processes, Closure, and Composition 

The abstract space of processes is denoted by V. The set of abstract process 
behaviors, B, is assumed to be equipped with a partial order ^ (read as “pre- 
fix”), and partitioned into non-empty subsets of finite behaviors, and infinite 
behaviors, Boo- We make the following assumptions about the behavior space. 

WF Bi. is downward closed under A, and A is well-founded on 

By downward closure, we mean that any prefix of a behavior in B^. is also in 
Bt. . An initial behavior is a finite behavior with no strict prefix. The set of initial 
elements, which is non-empty by the well-foundedness assumption, is denoted 
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by Bo- In our concretizations, behaviors are either computations or computation 
trees, under the standard prefix ordering, so that the WF assumption is satisfied. 
Initial behaviors then correspond to initial states of a process. The semantics of 
an abstract process P is a subset of B. We call this the language of P and denote 
it by C{P). The finite behaviors in the language are denoted by Ct{P) and the 
infinite behaviors by Cao{P)- These subsets must satisfy the following condition. 

LI Every finite prefix of a behavior in C{P) is a finite behavior of P. 

This condition can be expressed succinctly by the notion of the limit of a set 
of behaviors. For a set S, Urn (S) = {x \ (Vy : y < x f\ y & B^ ■ y & S)}. The 
condition LI is [C{P) Zzm£*(P)]. The closure of a subset S of behaviors, 

denoted by cl{S), is the set {x \ (Vj/ : y £ B^, f\ y < x : (3z : y ^ z : z £ -S'))}. 
I.e., an element x is in cl{S) iff every finite prefix y of x has an “extension” 
2 : that is in S. It is not hard to show that cl is monotonic, idempotent, and 
weakening. We call a set S where [cZ(5) = S'] a safety property, and a set 
S where [cZ(S) = true] a liveness property in analogy with the definitions of 
temporal safety and liveness in [5] . 

Lemma 0. (cf. [5,20]) Any set of behaviors, S, can he expressed as the inter- 
section of the safety property cl{S) and the liveness property {-icl{S) V S). □ 

The main process composition operator is denoted by //, and maps a finite 
subset of V to V. The process closure operator, CL, has signature CL : P — >■ P. 
The process choice operator, +, also maps a finite subset of P to P. We say that 
process P refines process Q, written as P \= Q, provided that [P(P) L{Q)]- 

We assume that these operators enjoy the following properties. 

PI Composition is conjunction of languages: [C{H i : Pi) = (Ai : L{Pi))]. This 
implies the corresponding assertions for £* and Loo- 
P2 Choice is disjunction of languages: [L{-\-i : Pf) = (Vi : L{Pi))]. 

P3 Closure represents language closure: [L{CL{P)) = cl{L{P))]. 

Thus, H and + are associative and commutative. To state the circular reason- 
ing method, we also need the concepts of behavior equivalence and non-blocking. 

Behavior Equivalence: For each process P, we assume the existence of an 
equivalence relation ~p on ,6* . This relation is used to state when two behaviors 
are to be considered equivalent relative to P - for example, in a concrete setting, 
two computations that agree on values of the external variables of P would be 
equivalent. We define the closure function, (~p), induced by this relation as 
(~p)(S') = {x I {3y : y G S' A X ~p y)}, for any subset S of behaviors. This must 
have the property below. 

BEQ For any process P, L{P) is closed under ~p: [(~p)(£(P)) ^ B{P)\. 
Non-blocking: Process Q does not block a process P iff 

(a) for every initial behavior of P there is a matching initial behavior of P // Q. 
Formally, [Bq A L^{P) {^p){Bq A £*(P//Q))] and 
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PI:: var x: (0,1); trans . x’ = y 

P2:: var y: (0,1); trans. y’ = x 

T:: var x,y:(0,l); fair inf. often (x=l) and inf. often (y=l) 

Ql:: var x:(0,l); fair inf. often (x=l) 

Q2:: var y:(0,l); fair inf. often (y=l) 

Fig. 1. Unsoundness for liveness 



(b) every extension by P of a finite behavior oi P // Q has a matching extension 
P II Q- Formally, for any x, y,iix & £-t{P) and y < x and y ^ P^(P H Q), 
then X G (~p)(£*(P/(5)). 

Note: This completes the list of postulates. It may also be interesting to know 
what we do not postulate: we do not assume that process languages exhibit either 
machine-closure or receptivity, and we do not require the behavior equivalence 
relations to be a congruence relative to It is the lack of the latter restriction 
that lets us concretize the framework to stuttering closed languages. 



2.2 Compositional Reasoning 

The aim of a compositional reasoning method is to provide a systematic way of 
breaking down a proof that a composition (Hi : Pi) refines a target process T 
into proof steps that reason individually about each Pp This is done by abstract- 
ing the other processes into an environment for Pp To uniformly handle such 
environments, we generalize the original problem into showing that (H i : Pi) re- 
fines T when constrained by an environment process, E. The choice composition 
operator can be handled quite simply: E H{-\-i '.Pi) |= T if, and only if, (from 
P2), for every i, E H Pi \=T. We assume that, in the typical case, the compo- 
sition (H i : Pi) \s too large to be handled directly, by model checking methods, 
but that T and E are small. Consider the two process case: E H P\ H Pi \=T. 

A non-circular reasoning method shows that E H P\ H Pi |= T by finding Q 
such that (a) E H P\ \= Q, and (b) Q H P2 \=T. Soundness follows immediately 
from PI and the transitivity of . This method is most useful when the inter- 
action between Pi and Pi is in one direction only. For bi-directional interaction, 
it is often convenient to reason in a mutually inductive manner, as in the fol- 
lowing (syntactically) circular reasoning method, where Qi and Qi supply the 
mutually inductive hypotheses. For i G {1, 2}, we write i for the other index. 

Circular Reasoning I: To show that E H P^ H Pi ^ T, find Q\,Qi such 
that (a) for some i, Qi does not block P--, and [~p. ~qJ, (b) Pi H Qi 1= Qi, 
(c) Qi / P2 h Q2, and (d) E H Qi H Qi \=T. 

This method is easily shown to be complete for processes Pi and Pi such 
that one does not block the other: given that E H Pi H Pi \=T, choose Pi for Qi 
and Pi for Qi. It is sound for finite behaviors - the non-blocking hypothesis (a) 
enables a mutual induction on finite behaviors using (b) and (c). 

However, this method is not sound in general - it is unsound when both Qi 
and Qi define liveness properties. Since it is difficult to exhibit the unsoundness 
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in the abstract, consider the concrete setting of Fig. 1, where jj is interpreted 
as synchronous composition, and the behavior of a process is the set of its com- 
putations. Each process is specified by its initial condition, a transition relation 
(a primed variable refers to its next value), and a fairness constraint on infinite 
computations (unspecified components are true, i.e., unconstrained). 

The composition P\ jj P2 does not refine T, since it has a computation where x 
and y are both always 0. However, consider the processes Qi and Q2 in Fig. 1. As 
their initial and transition conditions are unconstrained, they are non-blocking, 
satisfying hyp. (a). The fairness condition of Q2 requires that y = 1 is true 
infinitely often in any computation of P\ jj Q2, so the update x' = y in P\ forces 
X = 1 to be true infinitely often, ensuring that hyp. (b) holds. Hyp. (c) holds for 
a similar reason. Hyp. (d) holds since Q\ and Q2 together satisfy T. Thus, the 
method leads to the unsound conclusion that Pi jj P2 does refine T. 

2.3 A Sound and Complete Method 

The previous example shows that a method based on mutual induction is not 
always sound for liveness properties; however, it is hard to ascribe a reason for 
the failure. One possible explanation is that the problem arises from the lack 
of an inductive structure: in the example, both Qi ^md Q2 restrict only the 
“future” of a computation. This observation has led to several methods (e.g., [2, 
21,23]) where a temporal next-time operator supplies the necessary well-founded 
structure. Here, we adopt a different strategy, and augment the previous method 
with an additional check to ensure that the reasoning is sound. 

Circular Reasoning II: To show that E jj P\ jj P2 \= T, find Qi, Q2 such 
that the conditions (a)-(d) from Circular Reasoning I hold, and additionally, 
(e) for some i, E jj Pi jj CL{T) {T + Qi + Q2). 

To gain some intuition for the new hypotheses (e), consider the earlier 
soundness failure. The reasoning fails because the error computation tt, where 
X and y are both always 0, is ignored by hypotheses (b) and (c), since nei- 
ther Qi nor Q2 contain tt. The “missing” computations are those, such as 
TT, that belong to C{P\ jj P2), but not to either of £{Qi) or £((52)- We want 
these computations to also be part of C{T). As is shown by the soundness 
proof below, hypotheses (a)-(d) ensure that all computations of P\ jj P2 be- 
long to the safety part of the language of T. Thus, the missing computations 
must belong to the liveness part of T. A direct statement of this condition is: 
[£(£) A C{PillP2) A -(£(Qi) V C{Q2)) ^ {^cl{C{T)) V £(T))]. However, 
this includes P\ jj P2, which is just what we are trying to avoid reasoning about 
directly. 

We show in the soundness proof that one can replace Pi jj P2 with a single 
process. Pi, resulting in a stronger condition, but without sacrificing complete- 
ness. Rearranging the new condition, we get that, for some i, [£{E) A £{Pi) A 
cl{C{T)) => (C{Qi) V £(<52) V £(£))]. Put in terms of the process operators us- 
ing P1-P3, this is just condition (e). For our example, both £(P) and cZ(£(T)) 
are true (i.e., the set of all computations), and condition (e) does not hold - as 
expected - for either Pi or P2, because tt belongs to both processes, but not to 
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either of T, Qi, or Q2- We show completeness first, which is the simpler half of 
the proof. 

Theorem 0 . (Completeness) For processes Pi,P2 such that one of the pro- 
cesses does not block the other, and for any process T, if E jj P\ jj P2 |= T , then 
this can be shown using the Circular Reasoning II method. 

Proof. Choose Qi = P\ and Q2 = P2- Condition (a) holds by the non-blocking 
assumption. Condition (b) becomes Pi (f P2 H which, by the definition of 
1 = and assumption PI, is equivalent to [C{Pi) A C{P2) £(Pi)], which 

is trivially true. Conditions (c) and (d) can be dealt with in a similar manner. 
Condition (e), for i = 1 , simplifies, using P 1 -P 3 , to [C{E) A C{P\) A cl{C{T)) 
£(T) V C{Pi) V C{P2)], which is true trivially. □ 

Note: The completeness proof, as may be expected, considers the worst 
case, where Q\ = P\ and Q2 = P2 - This is unavoidable in general, because it is a 
manifestation of the state explosion problem. However, the language of a process 
is usually given by its external input-output behavior, which can be much less 
complex than its full behavior. Thus, Qi, which represents external behavior, can 
be smaller than Pi, and yet be an adequate replacement for it in the method. 

Soundness requires a more complex proof. First, we show, using well-founded 
induction on and hypotheses (a)-(d), that the finite language of Pi jj P2 is 
contained in the finite language of Qi // Q2- This is used to prove that any 
behavior oi E jj Pi jj P2 is a safe behavior of T. We then utilize hypothesis (e) 
to conclude that all behaviors oi E jj Pi jj P2 are behaviors of T . 

Lemma 1 . For processes Pi, P2,Qi,Q2, and T satisfying the conditions of the 
Circular Reasoning II method, [£*(Pi H P2) C-*{Qi H Q2)]- 

Proof. This proof is based on well-founded induction on the set of finite behav- 
iors. Both the base and inductive cases make use of the non-blocking hypothesis 
(a), and the mutual induction supplied by hypotheses (b) and (c) on the pro- 
cesses Qi and Q2- Without loss of generality, we assume that hyp. (a) holds for 
the pair (Pi, Q2)', the proof is symmetric in the other case. 

(Base case: initial elements) For any initial behavior x, x is in £*(Pi / P2) iff 
(by PI), it belongs to both £,(Pi) and £*(P2). As Q2 does not block Pi, x is 
in {^pf){Bn A £,(Pi //Q2))- From Hyp. (b), x belongs to A £*(Qi)). 

As from Hyp. (a), using BEQ and the monotonicity of (^p), x 

belongs to £*(Qi). Since x belongs to both £*(P2) and £*(< 5 i), using PI and 
Hyp. (c), it belongs to T*(Q2)) and thus, (by PI) to £*(( 5 i / Q2). 

(Inductive case) Consider any non-initial behavior x in T*(Pi /P2). Let y 
be a strict prefix of x. By WF, y is a finite behavior, so, by LI, it belongs to 
£*(Pi H P2). From the inductive hypothesis, y belongs to £*(Qi jj Q2). It follows 
from PI, that y belongs to £*(Pi jj Q2). As Q2 does not block Pi (Hyp. (a)), and 
X belongs to £*(Pi), it follows that x belongs to (~Pi)(£*(Pi jj Q 2))- Reasoning 
now as in the earlier case, it follows that x belongs to £*(Qi / Q2). □ 

Lemma 2 . For any process P, [cl{£{P)) = Zzm£*(P)]. 
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Proof. For any x, x G cl{C{P)) iff (by definition of closure) (Vj/ '■ y G Bt. f\ y < 
X : {3z : y ^ z A z G C{P))). By condition LI, as B{P)], this is 

equivalent to (Vj/ \ y G B^. A y ^ x : y G C^.{P)) - i.e., x is in limLt.{P). □ 



Theorem 1. (Soundness) For processes E, Pi, P2,Qi,Q2, and T satisfying 
the conditions of Circular Reasoning II, [C{E //Pi // P2) B{T)]. 



Proof. The decomposition of C{T) into safety and liveness components gives us 
a natural decomposition of this proof into safety and liveness proofs. The safety 
proof shows that [C{E // Pi // P2) cl{C{T))\, while the liveness proof shows 

that [C{E // Pi // P2) ^ hd{C{T)) V £(T))]. 

(Safety) 

C{E//Pi//P 2 ) 



cl{C{E // Pi // P 2)) 
Urn C^{E // Pi // P2) 
Urn C^{E // Qi // Q2) 
cl{C{E // Qi // Q2)) 
cl{L{T)) 



( cl is weakening ) 

( Lemma 2 ) 

( Lemma 1; monotonicity of lini ) 
( Lemma 2 ) 

( by hyp. (d); monotonicity of cl ) 



(Liveness) 

C{E//Pi//P2) a cl{C{T)) 

= C{E//Pi //P 2 ) A £(C7L(r)) ( by P3 ) 

= C{E) A £(Pi) A £(P 2 ) a £(C-L(T)) ( by PI ) 

C{E) A £(Pi) A £(P2) a £(T + Qi + Q 2 ) 

( by hyp. (e) (pick 1) ) 

= C{E) A C{Pi) A C{P2) A (£(T) V £(Qi) V £(Q2)) 

( by P2 ) 

^ £(T) V {C{E) A C{P2) A £(Qi)) V {C{E) A C{Pi) A £(Q2)) 

( A over V ; dropping conjuncts ) 

^ £(T) V {C{E) A £(Qi) A £(Q 2 )) ( by PI; hyp. (b) and (c) ) 

^ B{T) ( by hyp. (d) ) 

□ 



Note: One can replace hyp. (e) with (e’): for some i, 

E // Pi // CL{Qi) // CL{Q2) ^ (T + Qi + Q2), without losing either sound- 
ness or completeness. Hyp. (e’) is weaker (by hyp. (d)) than (e), so it is more 
likely to hold. However, it might also be more difficult to check in practice as 
CL{Qi) // CL{Q2) could have size larger than CL{T). Hyp. (e’) holds if either 
£(Qi) or C{Q2) are safety languages, showing that the first circular reasoning 
rule is sound in this case. 

The new hypothesis also provides a direct link to the reasoning method pro- 
posed by Alur and Henzinger in [6]. In our notation, it reads as follows: to show 
that Pi// P2 h Qi / prove that (i) Pi / Q2 h <3i> and (ii) P2 // CL(Qi) ^ Q2 
(non-blocking is assured by the language definition). This is incomplete as stated, 
but it can be generalized to showing that Pi // P2 \= T hy making a choice of 
Qi,Q 2 such that (i) and (ii) hold, as well as (iii) Qi // Q2 h This is sound, 
by arguments in [6], as well as complete (choose Pi for Qf). 
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Both methods are complete, but we may go further and compare their solu- 
tion sets for {Qi} (i.e., those that satisfy the hypotheses), for fixed {Pi} and T. 
In one direction, if (i)-(iii) hold for {Qi}, so do the hypotheses (a)-(e’) of Circu- 
lar Reasoning II, for the same choice. Hyp. (a) is the non-blocking property. 
Hyp. (b),(d) are identical to (i),(iii), respectively. Hyp. (c) holds using (ii) and 
the weakening property of cl. Finally, Hyp. (e’) holds for P2 using (ii). The con- 
verse “almost” holds (assuming non-blocking): from (e) (for P2) and (c), one can 
derive that P 2 jj C'L(Qi) \= Q 2 + T, which is weaker than hyp. (ii). It turns out, 
in fact, that there are specific {Pi},{Qi}, and T for which the hypotheses of our 
method hold, but those of the generalized [6] method do not. This implies that 
our method is more widely applicable. Indeed, we had noticed in earlier work [7, 
8] that it was not possible to use the generalized Alur-Henzinger rule for Qi with 
liveness constraints that were automatically generated from property T. In [7], 
we showed that conditions (a), (d), and (e) always hold for the generated Qi's, 
thus leaving one to (safely) apply the mutually inductive checks (b) and (c). 

3 Concrete Compositional Reasoning 

In this section, we show how the abstract framework can be instantiated for 
a variety of composition operators and language definitions in shared-variable 
concurrency. For each choice, we show that assumptions WF, LI, P1-P3, and 
BEQ are met. For lack of space, detailed proofs are left to the full version. 

We assume available a set of variable names, with associated domains of 
values. For a variable w, the primed variable w' is used to denote the value of 
w in the next state. A process, P, is given by a tuple {z,i,T,<P), where: z is a 
finite set of variables, partitioned into local variables (x), and interface variables 
(y), t{z) is an initial condition, t{z,z') is a transition relation, relating current 
and next values of z, and <P{z) is a temporal fairness formula defining a fairness 
condition on the states. A state of P is a function giving values to its variables. 
We write states as pairs (a,b), where a is the value of x and b the value of y. 
A path, TT, is a finite or infinite sequence of states where for each i such that 
0 < z < |7 t|, T(7ri_i,7Ti) holds; |7 t| is the length of tt (the number of states on 
it). A state t is reachable from state s by a path tt of length n iff tto = s and 
'^n—l L 

A process exhibits finite local branching (cf. [1]) if (i) for each b, there are 
finitely many a such that (a, b) is an initial state, and (ii) for any state (a, b) 
and any b', there are finitely many a' such that (a' ,b') is reachable from (a, 6) 
by a path where the value of y is 6 for all non-final states. We assume that all 
processes satisfy this restriction. We use temporal logic to define the languages 

00 

of processes. We only need the operators G (always) and G (from some point 
on). Formally, for a sequence tt, and a predicate q on states (transitions), G(y) 
holds of TT iff y holds for every state (transition) on tt. For an infinite sequence tt, 

00 

and a predicate q, G (y) holds of tt if, from some /c G N, the suffix of tt starting 
at point k satisfies G(y). The path operator A quantifies over all paths from a 
state. 
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3.1 Linear-Time Interleaving Semantics 

In the interleaving semantics, the language of a process, Pi, is defined relative 
to an external context for Pi. The context is represented by a set of variables, 
Wi, disjoint from Zi (we write Zi instead of zp^ for clarity). The language is a 
subset of the set of sequences, both finite and infinite, of valuations to Zi U Wi. 
We denote the language by the expression C^{Pi){zi',Wi), where is used to 
separate the process’ variables from its context. The set of finite computations 
i] Wi)) is defined by the temporal logic formula below, where, for a set 
X of variables, unch{X) = (Vx : x € X : x' = x). 

ii{zi) A Q{{Ti{zi, z'i) A unch{wi)) V unch{xi)) 

This formula ensures that the first state is an initial one, every transition 
is either that of Pi and leaves the context Wi unchanged, or is an “environ- 
ment” transition that leaves the local variables of Pi unchanged. The set of 
infinite sequences in the language, denoted by C\^{Pi){zi-,Wi), is defined by the 
same formula (interpreted over infinite sequences), together with the constraint 
<Pi{zi) which ensures that the fairness condition of Pi holds. The full language, 
C^Pi){zi;Wi), is given by Cl{Pi){zi;Wi) U Cl^{Pi){zi;Wi). The external lan- 
guage of process Pi for context Wi is denoted by C\,^i{Pi){yi-,Wi). It is defined 
as the projection of the language of Pi on its interface and context variables: 
i.e., C\,,{Pi){yp,Wi) = {3x, ■. ChPi){z i]Wi)). Here, existential quantification 
refers to the choice of a sequence of values for Xi. Two computations are behavior 
equivalent relative to Pi iff their projections on yi U Wi are identical. The order- 
ing ^ is defined as the prefix ordering on finite sequences. This choice satisfies 
WF. From the language definitions, every finite prefix of a sequence in C^{P) 
satisfies the initial and transition conditions, and is thus in £2(^)> so that LI 
holds for Cl,{P). As Cl,{P) is defined over the non-local variables of P, it 
satisfies BEQ. 

Interleaving Composition. For a set of processes {Pi}, their interleaving compo- 
sition Q is denoted as (|]t : P^). It is defined provided that the local variables of 
each process are disjoint from the variables of other processes; i.e., XidZj = 0 for 
i yf j. The process Q has local variables (Ut : Xi), interface variables (Ui : yi), 
initial condition (At : Li{zi)), and fairness condition (At : <Pi(zi)). 

For any i, let Xi be the set of local variables of the other processes; for- 
mally, Xi = xq\xi. Let Yi be the set of interface variables of other pro- 
cesses that are not shared with the interface variables of process Pp, formally, 
Yi = yqXyi- Let Zi = Xi U Yi. The transition relation of Q is defined to be 
( V t : Ti{zi,z'i) A unch{Zi)). This definition implies that a transition of process 
Pi, leaves unchanged the values of all variables that are not shared with Pi. 

It is important to note that we do not distinguish between the usage of shared 
variables, such as read-only or write-only variables. All shared variables can be 
both read and written to by the sharing processes. Since this is the most general 
case, our results apply to more specific situations as well. 
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Non-blocking: The condition [^p^ in hyp. (a) of the Circular 

Reasoning II method is equivalent to saying that yq^ is a subset of yp.. Fur- 
thermore, only the first part of the non-blocking definition (for initial states) is 
needed, because, for any x,y: if x is a finite computation in y <x and 

y G ^Lt{P\\Q) then y can be extended to a computation z in D Q) such 

that z and x agree on the external variables of P by following the transitions in 
X while keeping the local variables of Q unchanged. 

Theorem 2. (PI for C^) Let {Pi} he a set of processes such that Q = {^i ■ 
Pi) is defined, and let w be a context for Q. Then, [L^{Q){zq-,w) = (Az : 

d^{Pi){zi\w U Zi))]. □ 

The previous theorem shows that asynchronous composition corresponds to 
conjunction of languages. We are usually interested only in the externally visible 
behavior of a process. Abadi and Lamport showed in [2] that a similar theorem 
applies to the external languages, under restrictions which ensure that the exter- 
nal language is closed under stuttering (i.e., finite repetition of states). However, 
there are applications such as the analysis of timing diagrams [8], where one 
wants to count the number of events in an asynchronous system, and this is not 
a stuttering-closed language. We therefore show the analogous theorem under a 
different non-interference assumption on composition. 

The mutex Assumption: A set of processes {Pi} satisfies this assumption 
if in any jointly enabled transition, at most one process changes its local state. 
This may be realized in practice by using a turn-based interleaving scheduler, 
possibly implemented by the processes themselves, and guarding each transition 
with a check that it is the process’ turn. 

Theorem 3. (PI for Let {Pi} he a set of processes such that Q = : Pi) 

is defined, and let w be a context for Q. Under the mutex assumption for {Pi}, 
[PLt(Q)iyQiw) = (Az : w U Ti))].n 

Stuttering Equivalence: Stuttering refers to finite repetition of identical values. 
Two sequences are stuttering equivalent if they are identical up to such finite 
repetition. The language of a process is closed relative to stuttering; however, its 
external language is not, as existential quantification does not preserve closure 
in general. The stuttering closed external language of Pi for context w is denoted 
by ; w), and is defined as {3xi : C^{Pi){zi, w)). Here, 3 is a stuttering 

closed version of 3, defined by: for a sequence tt over a set of variables W, 
TT G (3 A : S' (A, IF)) iff there exists a sequence f defined over A U IF such that 
TT and f are stuttering equivalent on A, and ^ G S. 

The Sequencing Assumption: This is a semantic formulation of the syn- 
tactic constraints considered by Abadi and Lamport in [2] . It holds if, for every 
jointly enabled transition t of Q = {^i : Pi), there is a finite sequence a that sat- 
isfies the transition condition of Q on all transitions, and a and t are stuttering 
equivalent relative to the external variables yq U w. 

Theorem 4. (PI for (cf. [2]) Let {Pi} he a set of processes such that 

Q = ([]z : Pi) is defined, and let w be a context for Q. Under the sequencing 
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assumption, and if <I>q is stuttering-closed relative to yq U w, 

{^LtiQ){yQ',w) = {Ai: U Fi))]. □ 

Process Choice. For a set of processes {Pi}, the process C = (+t : Pi) is defined 
whenever ([]z : Pi) is defined, with local variables (Ui : Xi) U {c}, where c is 
a fresh variable not in (Uz : Xi), interface variables (Uz : yi), initial condition 
{V i : c = i A Li{zi)) transition relation (c' = c) A ( A z : c = z => Ti{zi, z[)), and 

OO 

fairness condition (Vz : G(c = z) A d>i{zi)). The variable c records the initial 
(fixed) choice of {Pi}. The following theorem is an easy consequence. 

Theorem 5. (P2 for and For a set of processes {Pi} such that C = 

(+z : Pi) is defined, and a context w for C, (i) [C\,„,^{C){yc',w) = (Vz : 

^\xti.Pi)i.y^^^w))], and (a) [£L(C)( 2 /c; w) = ( V z : H)]- ^ 

Process Closure. For a process Q, let CL{Q) be the process (zq , lq , tq , true) . 
Le., CL{Q) has the same transition structure as Q, but has a trivial fairness 
constraint. The proof of the following theorem relies on the finite local branching 
requirement and Konig’s Lemma. 

Theorem 6. (P3 for and for C^„,f,(cf. [1])) For any process Q and context 
w forQ, [Cl,^tlcL{Q)){yq;w) = cZ(£Lt(Q)(2/Q; H)]; and 
[cl,{CLmiyQ-,w) ^ ci{cl,myQ-,w))].a 

3.2 Synchronous Semantics 

In the synchronous semantics, all processes in a composition make a transition 
simultaneously. Synchronous semantics are appropriate for modeling hardware 
systems, where several components are controlled by a single clock. The language 
of a process. Pi, is a subset of the set of sequences, both finite and infinite, 
of valuations to Zi. The finite part of the language, denoted by cl{Pi){zi), is 
given by the temporal formula ti{zi) A G(ri(zj, z')). The infinite part, denoted 
by tIL. {Pi)(zi) is given by sequences satisfying the same formula, but with the 
additional fairness constraint, d>i{zi). The full language, denoted by C^^{Pi){zi) 
is cl{Pi){z,_) U tIo (Pi){zi). The external language of the process, denoted by 
Plxt{Pi){y^)^ is defined, as before, by {3xi : C^Pi){zi)). 

Synchronous Composition. For a set of processes {Pi}, their synchronous com- 
position Q is denoted as (|| z : Pi). The components of Q are defined as for 
interleaving composition, except the transition relation, which is defined as 
(Az : Ti{zi,z[)), since transitions are simultaneous. Process choice and closure 
are defined exactly as in the asynchronous case. Similarly, the behavior equiva- 
lence relationship from Hyp. (a) of the method is given by yq^ C yp^. Completely 
specified Moore machines are non-blocking by definition. Mealy machines can 
be made non-blocking by syntactically preventing combinational cycles between 
the input-output variables of the composed processes (e.g., as in Reactive Mod- 
ules [6]). In [7], it is shown that these definitions enjoy the properties P1-P3 for 
thus, the Circular Reasoning II method is applicable. 
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3.3 Refinement through Fair Simulation 

In this part of the paper, we interpret the relation ^ as refinement through a 
simulation relation that includes the effect of fairness constraints cf. [15]. Com- 
position is synchronous, with the operators defined as in the previous section. 
The difference is that the language of a process is now a set of trees instead of 
sequences. We assume that each process has the finite branching property. 

Tree Languages: A tree is a prefix-closed subset of N*. We consider only finite 
branching trees. Finite behaviors are finite depth trees. The ^ ordering on trees 
is subtree inclusion. The finite branching condition ensures that this ordering is 
well-founded on finite behaviors, since each finite-depth tree has finitely many 
nodes. A labeled tree, u, is a triple {U, /, S), where [/ is a tree and / : C/ — >■ A. 

A computation tree of a process P is obtained, informally, by unrolling its 
transition relation starting from an initial state. A computation tree fragment 
(CTF, for short) of process P is obtained from a computation tree of P by 
either dropping or duplicating some subtrees of the computation tree, while 
satisfying its fairness constraint along all infinite branches. Formally, a CTF is 
a labeled tree u = {U, /, A) where: A is the state space of P, /(A) is an initial 
state of P, {f{x),f{x.i)) is a transition of P for each x G N* and i G N such 
that x,x.i G U, and the fairness condition of P holds along all infinite branches 
of U . Tree fragments represent the result of composing P with arbitrary, non- 
deterministic environments. The set of CTF’s of P forms its (tree) language, 
denoted by £^{P). The finite language of P, Cf{P), is therefore, the set of 
finite-depth trees satisfying the CTL-like formula tp{zp) A AG{tp{zp, z'p)). The 
infinite language of P, Cf^{P), is the set of infinite trees satisfying, additionally, 
A{<Pp{zp)). Let C'^{P) = C'l {P) U C'^{P). The external language of M, denoted 
by £j„,((P), is obtained, as before, by projecting out the local variable component 
of each node label: formally, this is represented as {3xp : £^{P)). 

In [14], it is shown (with different notation) that for non-fair processes P and 
Q, Q simulates P (in the standard sense [22]) iff [£^^j (P) ^ Pit (Q)]. Based on 
this correspondence, they propose using language inclusion as the definition of 
simulation under fairness. We show that this choice satisfies conditions P1-P3. 
Conditions PI and P2 follow quite directly from the CTL formulation of process 
language. From the prefix ordering, a tree is in the closure of a set of trees S iff 
every finite depth subtree can be extended to a tree in S. This is called finite 
closure in [20], where it is used to define “universally safe” branching properties. 
The proof of P3 relies on the finite-branching property, and Konig’s lemma. 

Theorem 7. (P1,P2,P3 for If Q = i\\i \ Pi) is defined, then 
(^) \Plxti.Q) = (Ai : Cfi^fiPi))], (a) [TL((+* - Pi)) = (Vi : 

(ttt)foranyP, [cl{Cl,fiP)) ^ Cl,fiCL{P))]. 

4 Conclusions 

This paper develops a general framework for designing sound and complete meth- 
ods for mutually inductive, assume-guarantee reasoning. The key challenge is in 
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balancing, on one hand, the restrictions needed to avoid unsound circular rea- 
soning with liveness properties and, on the other, the generality necessary to 
ensure completeness. Furthermore, we show how to instantiate this framework 
for linear-time interleaving composition, and extend it to stuttering closed ex- 
ternal languages. We then outline the instantiation for synchronous composition 
in both linear and branching time semantics. We believe that the resulting rules 
can be adapted without much difficulty to specific modeling languages. 
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Abstract. This paper contrasts two important features of parallel sys- 
tem computations: fairness and timing. The study is carried out at spec- 
ification system level by resorting to a well-known process description 
language. The language is extended with labels which allow to filter out 
those process executions that are not (weakly) fair (as in [5,6]), and with 
upper time bounds for the process activities (as in [2]). 

We show that fairness and timing are closely related. Two main results 
are stated. First, we show that each everlasting (or non-Zeno) timed 
process execution is fair. Second, we provide a characterization for fair 
executions of untimed processes in terms of timed process executions. 
This results in a hnite representation of fair executions using regular 
expressions. 



1 Introduction 

In the theory and practice of parallel systems, fairness and timing play an impor- 
tant role when describing the system dynamics. Fairness requires that a system 
activity which is continuously enabled along a computation will eventually pro- 
ceed; this is usually a necessary requirement for proving liveness properties of 
the system. Timing gives information on when actions are performed and can 
serve as a basis for considering efficiency. 

We will show that fairness and timing are somehow related - although they are 
used in different contexts. Our comparison is conducted at system specification 
level by resorting to a standard (CCS-like) process description language. We 
consider two extensions of this basic language. The first extension permits to 
isolate the fair system executions and follows the approach of Costa and Stirling 
[5,6]. The second one adds upper time bounds for the execution time of system 
activities and follows the approach taken in [2]. 

* This work was supported by MURST project ‘Sahara: Software Architectures for 
Heterogeneous Access Networks infrastructures’ and by the Center of Eccellence for 
Research ‘DEWS: Architectures and Design Methodologies for Embedded Control- 
lers, Wireless Interconnect and System-on-chip’. 
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Costa and Stirling distinguish between fairness of actions (also called events), 
which they study in [5] for a CCS-like language without restriction, and fairness 
of components [6] . In both cases they distinguish between weak and strong fair- 
ness. Weak fairness requires that if an action (a component, resp.) can almost 
always proceed then it must eventually do so, and in fact it must proceed in- 
finitely often, while strong fairness requires that if an action (a component) can 
proceed infinitely often then it must proceed infinitely often. Differences between 
fairness of actions and fairness of components and between weak and strong fair- 
ness are detailed in [6]; for the purpose of this paper, we are interested in weak 
fairness of actions. A useful result stated in [5,6] characterizes fair computations 
as the concatenation of certain finite sequences, called LP-steps in [6]. 

Regarding timing, we follow the approach taken in the timed process algebra 
PAPAS (Process Algebra for Faster Asynchronous Systems) . Based on ideas first 
studied for Petri nets e.g. in [10], this new process description language has been 
proposed as a useful tool for comparing the worst-case efficiency of asynchronous 
systems (see [9,2] for the general theory and [3] for an application). PAFAS is a 
CCS-like process description language [12] where basic actions are atomic and 
instantaneous but have an associated time bound (which is 1 or 0 for simplicity) 
as a maximal time delay for their execution.^ When, for an action with time 
bound 1, this idle-time of 1 has elapsed, the action becomes urgent (i.e. its time 
bound becomes 0) and it must be performed (or be deactivated) before time 
may pass further - unless it has to wait for a synchronization, with another 
component, which either does not offer synchronization on this action at all or 
at least can still delay the synchronization. 

We prove two main results relating timed computations of PAFAS processes 
and weak fairness of actions. First, we prove that all everlasting (or non-Zeno) 
computations ^ are fair. This result shows that timing with upper time bounds 
imposes fairness among the different system activities. Intuitively, when one time 
unit passes, the active actions become urgent and must be performed (or be 
deactivated) before time may pass further; this clearly ensures that an activated 
action does not wait forever in a computation with infinitely many time steps. 

As a second main result we show that LP-steps - defined for untimed pro- 
cesses - coincide in the timed setting with sequences of basic actions between two 
consecutive time steps. As a consequence of this lemma we have that non-Zeno 
process computations fully characterize fair computations. 

Besides providing a formal comparison between fairness and timing, our 
timed characterization of fair executions results in a representation with techni- 
cal advantages compared to the approach of [5,6]. In order to keep track of the 
different instances of system activities along a system execution, Costa and Stir- 
ling associate labels to actions, and the labels are essential in the definition of fair 



^ As discussed in [2], due to these upper time bounds time can be used to evaluate 
efficiency, but it does not influence functionality (which actions are performed); so 
compared to CCS, also PAFAS treats the full functionality of asynchronous systems. 

^ A process computation is a Zeno computation when infinitely many actions happen 
in finite time. 
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computations. New labels are created dynamically during the system evolution 
with the immediate effect of changing the syntax of process terms; thus, cycles in 
the transition system of a process are impossible and even finite-state processes 
(according to the ordinary operational semantics) usually become infinite-state. 
From the maximal runs of such a transition system, Costa and Stirling filter out 
the unfair computations by a criterion that considers the processes and their 
labels on a maximal run. Our timed semantics also provides such a two-level de- 
scription: we also change the syntax of processes - in our case by adding timing 
information -, but this is much simpler than the labels of [5,6], and it leaves 
finite-state processes finite-state. Then we apply a simpler filter, which does not 
consider the processes: we simply require that infinitely many time steps occur 
in a run. As a small price, we have to project away these time steps in the end. 

As mentioned above, Costa and Stirling give a one-level characterization of 
fair computations with an SOS-semantics defining so-called LP-steps; these are 
(finite, though usually unbounded) sequences of actions leading from ordinary 
processes to ordinary processes, with the effect that even finite-state transition 
systems for LP-steps usually have infinitely many transitions - although they 
are at least finite-state. In contrast, our time-based operational semantics de- 
fines steps with single actions (or unit time steps), and consequently a finite-state 
transition system is really finite. Finally, using standard automata-theoretic tech- 
niques, we can get rid of the time steps in such a finite-state transition system 
by constructing another finite-state transition system with regular expressions 
as arc labels; maximal runs in this transition system are exactly the fair runs. 
This way we also arrive at a one-level description, and ours is truly finite. See 
[4] for full details. 

2 A Process Algebra for Faster Asynchronous Systems 

In this section we give a brief description of PAFAS, a process algebra intro- 
duced in [2] to consider the functional behaviour and the temporal efficiency of 
asynchronous systems. The PAFAS transitional semantics is given by two sets 
of SOS-rules. One describes the functional behaviour and is very similar to the 
SOS-rules for standard CCS [12]. The other describes the temporal behaviour 
and is based on a notion of refusal sets. 



2.1 PAFAS Processes 

We use the following notation: A is an infinite set of basic actions. An additional 
action r is used to represent internal activity, which is unobservable for other 
components. We define = A U {t}. Elements of A are denoted by a,b,c, . . . 
and those of At are denoted by a, /3, ... . Actions in A^ can let time 1 pass before 
their execution, i.e. 1 is their maximal delay. After that time, they become urgent 
actions written a or r; these have maximal delay 0. The set of urgent actions is 

denoted by A,. = {a | a G A} U {r} and is ranged over by a, /3, Elements of 

At U At are ranged over by /i. 




Relating Fairness and Timing in Process Algebras 449 



X is the set of process variables, used for recursive definitions. Elements of 
X are denoted hy x,y, z, .... is a general relabelling function if 

the set {a G A.,- 1 0 ^ ^ {«}} is finite and tP(r) = r. Such a function can 

also be used to define hiding: P/ A, where the actions in A are made internal, is 
the same as P\d>A\, where the relabelling function <Pa is defined by <Pa{o:) = r 
A a G A and d>A{oi) = a li a ^ A. 

We assume that time elapses in a discrete way.^ Thus, an action prefixed 
process a.P can either do action a and become process P (as usual in CCS) or 
can let one time step pass and become a.P; a is called urgent a, and a.P as a 
stand-alone process cannot let time pass, but can only do a to become P. 

Definition 1. {timed process terms) 

The set P of the timed process terms is generated by the following grammar: 

P ::= nil I X I a.P | a.P | P -f P | P|UP | PW\ \ rec x.P 

where xGX,aGAr,'P is a general relabelling function and A C A possibly 
infinite. We assume that the recursion is (time-) guarded, i.e. for recx.P variable 
X only appears in P within the scope of a prefix o;.() with a G A^. A term P 
is guarded if each occurrence of a variable is guarded in this sense. A significant 
subset of P is Pi, the set of initial timed process terms. These are P-terms where 
every action is in A,-; they correspond to ordinary CCS-like processes. 

The set of closed (i.e., every variable x in a timed process term P is bound 
by the corresponding rec x-operator) timed process terms in P and Pi, simply 
called processes and initial processes resp., is denoted by P and Pi resp."^ 

A brief description of the (PAFAS) operators now follows, nil is the Nil- 
process; it cannot perform any action, but may let time pass without limit. A 
trailing nil will often be omitted, so e.g. a.b c abbreviates a. 6 . nil -|- c.nil. /x.P is 
action prefixing, known from CCS, with the timed behaviour as explained above. 
P1-I-P2 models the choice between two conflicting processes Pi and P2. Pi IUP2 is 
the parallel composition of two processes Pi and P2 that run in parallel and have 
to synchronize on all actions from A; this synchronization discipline is inspired 
from TCSP. P[d>] behaves as P but with the actions changed according to 
rec x.P models a recursive definition. 



2.2 The Functional Behaviour of PAFAS Processes 

The transitional semantics describing the functional behaviour of PAFAS pro- 
cesses indicates which basic actions they can perform; timing information can 
be disregarded, since we only have upper time bounds; see the two PREF-rules 
below. 

® PAFAS is not time domain dependent, meaning that the choice of discrete or con- 
tinuous time makes no difference for the testing-based semantics of asynchronous 
systems, see [2] for more details. 

^ As shown in [3], Pi processes do not have time-stops; i.e. every finite process run 
can be extended such that time grows unboundedly. 
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Definition 2. (Functional operational semantics) The following SOS-rules de- 
fine the transition relations -^C (P x P) for a G A^, the action transitions. 

As usual, we write P P' if (P, P') and P if there exists a P' G P 
such that (P, P') G-^, and similar conventions will apply later on. 
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Additionally, there are symmetric rules for Par^i and Sum^ for actions of P2. 



2.3 The Temporal Behaviour of PAFAS Processes 

We are now ready to define the refusal traces of a term P G P. Intuitively a 
refusal trace records, along a computation, which actions process P can perform 
(P A P', q; G At) and which actions P can refuse to perform when time elapses 
(P At P', a C A). 

Definition 3. (Refusal transitional semantics) 

The following inference rules define — (P x P), where A C A. 
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Rule PREFri says that a process a.P can let time pass and refuse to perform 
any action while rule PreFj. 2 says that a process P prefixed by an urgent action 
a, can let time pass but action a cannot be refused. Process t.P cannot let time 
pass and cannot refuse any action; also in any context, r.P has to perform r as 
explained by Rule PreFc 2 in Definition 2 before time can pass further. Another 
rule worth noting is Par^ which defines which actions a parallel composition 
can refuse during a time-step. The intuition is that Pi\\aP2 can refuse an action 
a if either a ^ A (Pi and P2 can perform a independently) and both Pi and P2 
can refuse a, or a £ A (Pi and P2 are forced to synchronize on a) and at least 
one of Pi and P2 can refuse a, i.e. can delay it. Thus, an action in a parallel 
composition is urgent (cannot be further delayed) only when all synchronizing 
‘local’ actions are urgent. The other rules are as expected. 

A transition like P — >r P' is called a (partial) time-step. The actions listed 
in X are not urgent; hence P is justified in not performing them, but perform- 
ing a time step instead. This time step is partial because it can occur only in 
contexts that can refuse the actions not in A. If A = A then P is fully justified 
in performing this time-step; i.e., P can perform it independently of the envi- 
ronment. If P -^r P' we write P P' and say that P performs a full-time 
step. 

In [ 2 ], it is shown that refusal traces characterize an efficiency preorder, which 
is intuitively justified by a testing scenario. In the present paper, we need partial 
time steps only to set up the following SOS-semantics; our real interest is in runs 
where all time steps are full. We let A range over U {!}. 

3 Fairness and PAFAS 

In this section we briefly describe our theory of fairness. It closely follows Costa 
and Stirling’s theory of (weak) fairness. The main ingredients of the theory are: 

- A Labelling for Process Terms. This allows to detect during a transition 
which action is actually performed; e.g., for process P = rec x.a.x, we need 
additional information to detect whether the left hand side instance of action 
a or the right hand one is performed in the transition PII0P — > PH0P. When 
an action is performed, we speak of an event, which corresponds to a label 
- or actually a tuple of labels as we will see. 

- Live Events. An action of a process term is live if it can currently be per- 
formed. In a.5.nil||{{,} ^-nil only a can be performed while b cannot, momen- 
tarily. Such a live action corresponds to a possible event, i.e. to a label. 

- Fair Sequences. A maximal sequence is fair when no event in a process term 
becomes live and then remains live throughout. 

These items sketch the general methodology used by Costa and Stirling to 
define and isolate fair computations in [ 5 , 6 ]. It has to be noted, however, that in 
[ 6 ] Costa and Stirling concentrate on fairness of process components; i.e., along a 
fair computation, there cannot exist any subprocess that could always contribute 
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some action but never does so. In contrast, we will require fairness for actions. 
In the setting of [5], i.e. with CCS-composition but without restriction, these 
two views coincide. 

To demonstrate the difference, consider o||{a}rec cc.(a.a; + 6.cc) and a run con- 
sisting of infinitely many 6’s. This run is not fair to the component a, since this 
component is enabled at every stage, but never performs its a. In our view, this 
run is fair for the synchronized action a, since the second component offers al- 
ways a fresh a for synchronization. (Another intuitive explanation is that action 
a is not possible while b is performed.) Correspondingly, the label for such a syn- 
chronization (called an event label) is a pair of labels, each stemming from one of 
the components; such a pair is a live event, and it changes with each transition. 
It is not clear how our approach could deal with fairness for components. 

We now describe the three items in more detail. Most of the definitions in 
the rest of this section are taken from [6] with the obvious slight variations due 
to the different language we are using. We also take from [6] those results that 
are language independent. 

3.1 A Labelling for Process Terms 

Costa and Stirling associate labels with basic actions and operators inside a 
process. Along a computation, labels are unique and, once a label disappears, it 
will not reappear in the process anymore. 

The set of labels is LAB = {1, 2}* with £ as the empty label and u,v,w,. . . 
as typical elements; < is the prefix preorder on LAB. We have that u < w if there 
is u' G LAB such that v = uu' (and u < v if u' £ {1,2}+). We also use the 
following notation: 

- (Set of Tuples) Af = {{vi, . . . , v„) \ n> 1, wi, . . . , G LAB}; 

- (Composition of Tuples) Si XS 2 = ("Ci, • ■ • , "Cn, Wi, ■ ■ ■ , Wm), where Si, S 2 G Af 
and Si = (vi, . . . ,v„), S 2 = (wi,. . . ,Wm)', 

- (Composition of Sets of Tuples) N x M = |si x S 2 | si G A and S 2 G M}, 
where N,M C Af. Note that A = 0 or M = 0 implies N x M = ih. 

All PAFAS operators and variables will now be labelled in such a way that 
no label occurs more than once in an expression. As indicated above, an action 
being performed might correspond to a pair or more generally to a tuple of labels, 
cf. the definition of live events below (6); therefore, we call tuples of labels event 
labels. 

Labels (i.e. elements of LAB) are assigned systematically following the struc- 
ture of PAFAS terms usually as indexes and in case of parallel composition 
as upper indexes. Due to recursion the labelling is dynamic: the rule for rec 
generates new labels. 

Definition 4. (labelled process algebra) 

The labelled process algebra L(P) (and similarly L(Pi) etc.) is defined as 
U«6LAB *-u(]P), where L„(P) = (Jpe p *-„(P) is defined inductively as 

follows: 
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Nil, Var : Ltj(nil) = {nil„}, Ltj(x) = {x„}, 

In examples, we will often write nil for nil„, if the label u is not 
relevant . 

Pref: U(/r.P) = | -P' G Ui(P)} 

Sum: \-u{P + Q) = {P' +ii Q' \ P' € L„i(P), Q' G L„ 2 (Q)} 

Par: Iu{P\\aQ) = {P' \\IQ' \ P' G Ui„(P), Q' G Lu 2 v'{Q) 

where v,v' G LAB} 

Rel: Ly,{P[^]) = {P'[^«] | P' G L„i„(P) where v G LAB} 

Rec: Lu(rec x.P) = {rec cc„.P' | P' G L„i(P)} 

We assume that, in reccc„.P, reccc„ binds all free occurrences of a labelled x. 
We let L(P) = U«6LAB Lu(P) and LAB(P) is the set of labels occurring in P. 

The unicity of labels must be preserved under derivation. For this reason 
in the rec rule the standard substitution must be replaced by a substitution 
operation which also changes the labels of the substituted expression. The new 
substitution operation, denoted by {| _ |}, is defined on L(P) using the following 
operators: 

OG": If P G L„(P), then (P)+" is the term in L„„(P) obtained by prefixing v to 
all labels in P. 

O^: If P G Lu(P), then (P)e is the term in Lg(P) obtained by removing the prefix 
u from all labels in P. (Note that u is the unique prefix-minimal label in P.) 

Suppose P,Q G L(P) and a;„, . . . are all free occurrences of a labelled 
X in P then P{| Q/x } = P{((Q)e)G“/x„, . . . , /xv}- In such a way in 

P{|Q/x|} each substituted Q inherits the label of the x it replaces. 

The behavioural and temporal operational semantics of the labelled PAFAS 
are obtained by replacing the rules ReCa and Rec^ in Definition 2 and 3 with: 

P{| rec Xu-P/x 1} P' P{| rec Xu-P/x 1} -^r P' 

ReCa— ^ Rec^— ^ aP" 

rec x„.P P' rec x„.P P' 

and the rules Prefai and Prefa 2 in Definition 2 with the rules: 




because we assume that labels are not observable when actions are performed. 
The other rules are unchanged. 

The following proposition shows that labels are just annotations that do not 
interfere with transitions of PAFAS and labelled PAFAS processes. Let R be the 
operation of removing labels from a labelled PAFAS term. 
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Proposition 5. Let P € Lu(P) and A C A. Then: 

i. P A Q (P Q) implies R(P) A R(Q) (R(P) R(Q)) in unlabelled 

PAFAS; 

ii. if P' A Q' (P' Ar Q') in unlabelled PAFAS and P' = R(P), then for some 
Q with Q' = R(<5), we have P Q {P A^ Q)- 

An immediate consequence of the labelling are the following facts that have 
been proven in [6]: No label occurs more than once in a given process P G 
L„(P) and w G LAB(P) implies u < w. Moreover, central to labelling is the 
persistence and disappearance of labels under derivation. In particular, once a 
label disappears it can never reappear. It is these features which allow us to 
recognize when a component contributes to the performance of an action. 
Throughout the rest of this section we assume the labelled calculus. 



3.2 Live Events 

To capture the fairness constraint for execution sequences, we need to define 
the live events. For a„.nil||{c,} a^.nil (with labels u and v), there is only one live 
action. This is action a; i.e. there is only one a-event, which we will identify with 
the tuple (m, v), i.e. with the tuple of labels of ‘local’ a’s that synchronize when 
the process performs a; recall that we call such tuples event labels.^ In a similar 
way, there is only one live action in a„./3^.nil (action a corresponding 

to tuple (u) ) because the parallel composition prevents the instance of /3 labelled 
by (y) from contributing an action. However, note that (v,y) becomes live, once 
action a is performed. We now define LE(P, A) as the set of live events of P 
(when the execution of actions in A are prevented by the environment). 

Definition 6. (live events) 

Let P G L(P) and A C A. The set LE(P, A) is defined by induction on P. 



Var, Nil: 


LE(x„,A) = LE(nil„,A) = 0 


Pref: 


\ {{u)} li y = a or y = a&nd a i A 
^ \ 0 otherwise 


Sum: 


LE(P +„ Q, A) = LE(P, A) U LE(Q, A) 


Par: 


LE(P 11^ g. A) = LE(P, A U P) U LE(g, A U P)U 
[jceB\Ai LE(P, A\{n}) x LE(g,A\{a}) ) 


Rel: 


LE(P[<i>„],A) = LE(P,<l>-i(A)) 


Rec: 


LE(rec a;„.P, A) = LE(P, A) 



The set of live events in P is defined as LE(P, 0) which we abbreviate to LE(P). 

Since Costa and Stirling deal with fairness of components, they have no need for 
tuples. 



5 
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The set A represents the restricted actions. Then, LE(a„.P, {a}) must be 
empty because the action a is prevented. Note that, in the Par-case, LE(P, AU 
B) U LE(Q, AU B) is the set of the labels of the live actions of P and Q, when 
the environment prevents actions from A and from the synchronization set B 
- corresponding to those actions that P and Q can perform independently. To 
properly deal with synchronization, for all a G B\A we combine each live event 
of P corresponding to a with each live event of Q corresponding to a, getting 
tuples of labels. The other rules are as expected. 

3.3 Fair Execution Sequences 

We can now define the (weak) fairness constraint. The following definitions and 
results are essentially borrowed from [6], and just adapted to our notions of 
fairness and labelling. First of all, for a process Pq, we say that a sequence of 
transitions 7 = Pq Pi ••• with Ai G A,- U {1} is a timed execution 
sequence if it is an infinite sequence of action transitions and full time steps®. 

A timed execution sequence is everlasting in the sense of having infinitely 
many time steps if and only if it is non-Zeno; a Zeno run would have infinitely 
many actions in a finite amount of time, which in a setting with discrete time 
means that it ends with infinitely many action transitions without a time step. 

For an initial process Pq, we say that a sequence of transitions 7 = Pq 
P i — b- . . . with ai G At- is an execution sequence if it is a maximal sequence of 
action transitions; i.e. it is infinite or ends with a process P„ such that P„ 7b- for 
any action a. Now we formalize fairness by calling a (timed) execution sequence 
fair, if no event becomes live and then remains live throughout. 

Definition 7. {fair execution sequences) 

Let 7 = Pq Pi ... be an execution sequence or a timed execution 
sequence; we will write ‘(timed) execution sequence’ for such a sequence. We say 
that 7 is fair if 

~^{3s3i.yk>i :sG LE(Pfc)) 

Following [6], we now present an alternative, more local, definition of fair 
computations which will be useful to prove our main statements. 

Definition 8. (B-step) 

We say that Pq Pi P„ with n > 0 is a timed B-step when: 

(i) P is a finite set of event labels, and (ii) PlTLE(Po)n. . .nLE(P„) = 0. If Xi G Ar, 

i = 0,. . . , n — 1, then the sequence is a B-step. If Pq Pi . . . ~^"~b P„ is 
a (timed) P-step and v = Xq . . . A^-i we write Pq -^b Pn-i-i- 

In particular, a (timed) LE(P)-step from P is “locally” fair: all live events of 
P lose their liveness at some point in the step. 

® Note that a maximal sequence of such transitions/steps is never finite, since for 

7 = Pq Pj A4. . . . P„, we have P„ -b or P„ b (this is because processes 

are guarded, see [4]). 
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Definition 9. {fair-step sequences) 

A (timed) fair-step sequence from Pq is any maximal sequence of (timed) 
steps of the form Pq ^le(Po) Pi ^le(Pi) • • ■ 

A fair-step sequence is simply a concatenation of locally fair steps. If <5 is a 
(timed) fair-step sequence, then its associated (timed) execution sequence is the 
sequence which drops all references to the sets LE(Pi). 

Now we have the expected result stating that fair execution sequences and 
fair-step sequences are essentially the same. 

Theorem 10. A (timed) execution sequence is fair if and only if it is the se- 
quence associated with a (timed) fair-step sequence. 

4 Fairness and Timing 

This section is the core of the paper. It relates fairness and timing in a process 
algebraic setting. 

4.1 Fairness of Everlasting Sequences 

The following proposition is a key statement for proving our main results. It 
states that each sequence of functional transitions between two full-time steps 
is actually an LE(P)-step. 

Proposition 11. Let P G L(P) and v,w G (A.^)*- 

1. If P A Pi A Pa 4 then P Ale(p) A; 

2. If P — > Q — > Qi — > Q 2 — then P ^le(p) Q 2 - 

Then, we prove that each everlasting timed execution sequences of PAFAS 
processes is fair. 

Theorem 12. Each everlasting timed execution sequence, i.e. each timed exe- 
cution sequence of the form 

7 = Po Pi A Pa ^ P 3 4 P 4 ^ P 5 4 . . . 
with uq, ui, va • . • G (At)* is fair. 

Observe that an everlasting timed execution sequence, by its definition, does 
not depend on the labelling, i.e. it is a notion of the unlahelled PAFAS calculus. 

4.2 Relating Timed Executions and Fair Executions 

While in the previous section we have shown that every everlasting timed exe- 
cution is fair, we show in this section that everlasting timed execution sequences 
of initial PAFAS processes in fact characterize the fair untimed executions of 
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these processes. Observe that the latter is a notion of an ordinary labelled un- 
timed process algebra (like CCS or TCSP), while the former is a notion of our 
unlahelled timed process algebra. 

A key statement for proving this shows that whenever an initial process P 
can perform a sequence v of basic actions and this execution turns out to be an 
LE(P)-step, then P can alternatively let time pass (perform a 1-time step) and 
then perform the sequence of basic actions v, and vice versa. 

To relate processes in fair-step sequences and execution sequences, we define 
the set of processes IAIA{P) obtained by unfolding recursive terms in a given 
process P (that are not action guarded) and then by making some of the (initial) 
actions be urgent. In the following definition, if / and J are set of processes and 
op is a PAFAS binary operator then / op J is defined as {P op Q|P G / and Q G 
J}; analogously, we deal with the unary operators [<P\. 

Definition 13. (urgency and unfolding) 

Let P G L(Pi) be a labelled term. Define UU(P) by induction on P as follows: 

Var, Stop, Nil: UU(xu) = {xu}, UU(r\\\u) = {nil„} 

Pref: UU(au-P, A) = {a„.P} U {a„.P} 

Sum: UU(P Q) = UU(P) Pu UU(Q) 

Par: UU(P \\l Q) = UU(P) lls UU(Q) 

Rel: UU(P[^u]) = (UU(P))[‘^u] 



Rec: UU(rec Xu-P) = {rec cc„.P} U WW(P){|rec a;„.P/a;|} 

In [4] we present a key proposition relating LE-steps and temporal transitions. 
More in detail, we relate initial processes to processes that can perform a full 
time step; an initial process Qq can perform an LE((5o)-step v to if and only if 
any process R G UU (Qo) that can perform a full time step can perform the action 
sequence v afterwards to another process Rn G UlA(Qn) that can again perform 
a full time step. Note that this statement would not hold if we would define (as 
in [6]), LE(P +„ g, A) = {u} if LE(P, A) U LE(g, A) ^ 0 and LE(P +„ g, A) = 0 
otherwise. Indeed, for the initial process P = (am. nil 6n2.nil) -bi Ci2.nil we 

would have P Ale(p) nil 6112. nil, but P -4- (a^;^^.nil +1 C;^2-'^'' 

nil &ii2-nil, where the latter process cannot let one time unit pass. 

We now provide a characterization result for fair execution sequences in terms 
of timed execution sequences. 



Theorem 14. (Characterization of fair timed execution sequences) 
Let P G L(Pi) and ao,cei,a2 ■ ■ . G Ar- Then: 

1. For any fair execution sequence from P 




P = Po 



P2 . . . P. 
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there exists a timed execution sequence in unlabelled PAFAS 



S" 

'^0 + 1 ■ ' 



R(P) = S., 4 SI ^ S,, 4 S'^ ^ Si,... S., 4 S'^ 

where io = 0, Vi^ = ai^ai^+i Si^ G UU{R{P^^)) and j > 0. A 

similar result holds if Pi+i for any a G A,-; then S'-. — > S'-' 



4 P" 4 



2. For any timed execution sequence from R(P) in unlabelled PAFAS 



R{P) = 



... 



where io = 0, Vi^ = aqOq+i . . . for every j > 0, there exists a fair 

execution sequence 



P = Pn 



Pi 



P2 . . . P: 



P; 



i+i 



where Si^ G UU{R{Pi^)), for every j > 0. Again, there is a variation where 
S''^. -G S”. -G S'" -4- implies P^+i 7^, for any a G A,-. 



4.3 Fair Execution Sequences and Finite State Processes 

We call an initial process P G L(Pi) (i.e. a standard untimed process) finite 
state, if only finitely many processes are action-reachable, i.e. can be reached 
according to the functional operational semantics, i.e. with transitions 

For the definition of fair executions, we followed Costa and Stirling and in- 
troduced two semantic levels: one level (the positive) prescribes the finite and in- 
finite execution sequences of labelled processes disregarding their fairness, while 
the other (the negative) filters out the unfair ones. The labels are notationally 
heavy, and keeping track of them is pretty involved. Since the labels evolve dy- 
namically along computations, the transition system defined for the first level is 
in general infinite state even for finite state processes (as long as they have at 
least one infinite computation). Also the filtering mechanism is rather involved, 
since we have to check repeatedly what happens to live events along the compu- 
tation, and for this we have to consider the processes passed in the computation. 

With the characterization results of the previous subsection, we have not only 
shown a conceptional relationship between timing and fairness. We have also 
given a much lighter description of the fair execution sequences of a process P G 
L(Pi) via the transition system of processes timed-reachable (i.e. with transitions 

and -4-) from P, which we will denote by PP(P): the marking of some actions 
with underlines is easier than the labelling mechanism, and the filtering simply 
requires infinitely many time steps, i.e. non-Zeno behaviour; hence, for filtering 
one does not have to consider the processes passed. Furthermore, the transition 
system TT(P) is finite for finite state processes. 

Theorem 15. If P G L(Pi) is finite state, then TT{P) is finite. 

The main result in [5,6] is a characterization of fair execution sequences with 
only one (positive) level: SOS-rules are given that describe all transitions P A Q 
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with V € (At-)* such that P Ale(p) Q- This is conceptionally very simple, since 
there is only one level and there is no labelling or marking of processes: the 
corresponding transition system for P only contains processes reachable from 
P. In particular, the transition system is finite-state if P is finite-state. The 
drawback is that, in general, P has infinitely many LE(P)-steps (namely, if it 
has an infinite computation), and therefore the transition system is infinitely 
branching and has infinitely many arcs. (Observe that this drawback is not 
shared by our transition system of timed-reachable processes.) 

As a second main result, we will now derive from PP{P) for a finite-state 
process P a finite transition system with finitely many arcs that describes the fair 
execution sequences in one level: the essential idea is that the arcs are inscribed 
with regular expressions (and not just with sequences as in [5,6]). The states 
of this transition system are the states Q of TT{P) such that Q A- Q'; if 
R is another such state, we have an arc from Q to i? labelled with a regular 
expression e. This expression is obtained by taking TT{P) with Q' as initial 
state and R as the only final state, deleting all transitions and applying the 
well-known Kleene construction to get an (equivalent) regular expression from a 
nondeterministic automaton. (The arc can be omitted, if e describes the empty 
set.) Clearly, such an arc corresponds to a set of B-steps which are also present in 
the one-level characterization of Costa and Stirling, but there is one exception: 
if Q' -4-, then Q and Q' cannot perform any action; hence, there will only be an 
£-labelled arc from Q' to itself and, if Q yf Q', from Q to Q' . 

Thus, we can obtain exactly the action sequences performed in fair execution 
sequences of P by taking the infinite paths from P in the new transition system 
and replacing each regular expression e by a sequence in the language of e. 

Observe that P is a state of the new transition system, but not all states are 
initial processes. It would be nice to have only arcs P Q such that P and Q 
are initial processes and for each v belonging to e one has P A Q; to get this, 
we still have a technical problem corresponding to the fact that some recursions 
may be unfolded in a process R G UU{Q) compared to Q. 

Another interesting line of research regards the notion of fairness for com- 
ponents and the possibility of characterizing this different fairness notion in our 
setting. As already discussed in Sect. 3, the current timed operational semantics 
of initial terms is not appropriate for this purpose. It would be nice to find a 
suitable operational semantics and to check if it corresponds to some notion of 
time. 

A very recent paper shows some similarities with our work. In [I], Stephen 
Brookes gives a denotational trace semantics for CSP processes to describe a 
weak notion of fairness close to ours. In his setting, processes explicitly declare 
to the external environment the actions that are waiting for a synchronization on 
the current state. Thus, besides input actions a? and output actions a! (Brookes 
uses a CCS-like synchronization mechanism), processes can perform transitions 
<5x 

like P — > P, where A is a set of actions which - in our terms - are live. The 
achievement is a notion of traces to describe fair behavior which gives a com- 
positional semantics and which can be defined denotationally and operationally. 
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such that the same notion of trace can be used both for synchronous and asyn- 
chronous communicating processes. The resulting fairness notion is different 
from ours in that Brookes only cares about fairness of internal actions. We also 
have different issues. We start with a notion of timed traces that has a meaning 
of its own, and show how these traces are related to and can be used for easier 
descriptions of Costa and Stirling’s fair traces. 
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Abstract. Digital signal processing and control (DSPC) tools allow ap- 
plication developers to assemble systems by connecting predefined com- 
ponents in signal-flow graphs and by hierarchically building new compo- 
nents via encapsulating sub-graphs. Run-time environments then dynam- 
ically schedule components for execution on some embedded processor, 
typically in a synchronous cycle-based fashion, and check whether one 
component jams another by producing outputs faster than can be con- 
sumed. This paper develops a process-algebraic model of coordination 
for synchronous component-based design, which directly lends itself to 
compositionally formalising the monolithic semantics of DSPC tools. By 
uniformly combining the well-known concepts of abstract clocks, max- 
imal progress and clock-hiding, it is shown how the DSPC principles 
of dynamic synchronous scheduling, isochrony and encapsulation may 
be captured faithfully and compositionally in process algebra, and how 
observation equivalence may facilitate jam checks at compile-time. 



1 Introduction 

One important domain for embedded-systems designers are digital signal pro- 
cessing and control (DSPC) applications. These involve dedicated software for 
control and monitoring problems in industrial production plants, or software 
embedded in engineering products. The underlying programming style within 
this domain relies on component-based design, based on the rich repositories of 
pre-compiled and well-tested software components (PID-controllers, FIR-filters, 
FFT-transforms, etc.) built by engineers over many years. Applications are sim- 
ply programmed by interconnecting components, which frees engineers from 
most of the error-prone low-level programming tasks. Design efficiency is fur- 
ther aided by the fact that DSPC programming tools, including LabView [9], 
iConnect [15] and Ptolemy [10], provide a graphical user interface that supports 
hierarchical extensions of signal- flow graphs. These permit the encapsulation of 
sub-systems into single components, thus enabling the reuse of system designs. 
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While the visual signal-flow formalism facilitates the structural design of 
DSPC applications, the behaviour of a component-based system manifests it- 
self only once its components are scheduled on an embedded processor. This 
scheduling is often handled dynamically by run-time environments, as is the 
case in LabView and iConnect, in order to achieve more efficient and adaptive 
real-time behaviour. The scheduling typically follows a cycle-based execution 
model with the phases collect input (I), compute reaction (R) and deliver out- 
put (O). At the top level, the scheduler continuously iterates between executing 
the source components that produce new inputs, e.g., by reading sensor values, 
and executing computation components that transform input values into output 
values, which are then delivered to the system environment, e.g., via actuators. 
Each phase obeys the synchrony principle, i.e., in (I) all source components are 
given a chance to collect input from the environment before any computation 
component is executed, in (R) every computation component whose inputs are 
available will be scheduled for execution, and in (O) all generated outputs will 
be delivered before the current cycle ends. The constraint in phase (O), which 
is known as isochrony [6], implies that each output signal will be ‘simultane- 
ously’ and ‘instantaneously’ received at each connected input. This synchronous 
scheme can be applied in a hierarchical fashion, abstracting a sequence of RO- 
steps produced by a sub-system into a single RO-step (cf. Sect. 2). 

Like in synchronous programming, the implicit synchrony hypothesis of IRO 
scheduling assumes that the reaction of a (sub-)system is always faster than 
its environment issues execution requests. If a component cannot consume its 
input signals at the pace at which they arrive, a jam occurs [15], indicating a 
serious real-time problem (cf. Sect. 2). Unfortunately, in existing tools, there are 
no compile-time checks for detecting jams, thereby forcing engineers to rely on 
extensive simulations for validating their applications before delivery. Moreover, 
there is no formal model of IRO scheduling for DSPC programming systems that 
can be used for the static analysis of jams, and the question of how to distribute 
the monolithic IRO scheduler into a uniform model of coordination has not been 
addressed in the literature either. 

The objective of this paper is to show that a relatively small number of stan- 
dard concepts studied in concurrency theory provides the key to compositionally 
formalising the semantics of component-based DSPC designs, and to enabling 
static jam checks. The most important concepts from the process-algebra tool- 
box are handshake synchronisation from CCS [12] and abstract clocks in com- 
bination with maximal progress as investigated in temporal process algebras, 
specifically TPL [7], PMC [1] and CSA [3]. We use handshake synchronisation 
for achieving serialisation and maximal-progress clocks for enforcing synchrony. 
Finally, given maximal progress, synchronous encapsulation may be captured 
naturally in terms of clock-hiding, similar to hiding in CSP [8]. We will uni- 
formly integrate all three concepts into a single process language (cf. Sect. 3), to 
which we refer as Calculus for Synchrony and Encapsulation (CaSE) and which 
conservatively extends CCS in being equipped with a behavioural theory based 
on observation equivalence [12]. 
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As our main contribution we will formally establish that CaSE is expressive 
enough for faithfully modelling the principles of IRO scheduling and for cap- 
turing jams (cf. Sect. 4). First, using a single clock and maximal progress we 
will show how one may derive a decentralised description of the synchronous 
scheduler. Second, we prove that isochrony across connections can be modelled 
via multiple clocks and maximal progress. Third, the subsystems-as-components 
principle is captured by the clock-hiding operator. Moreover, we will argue that 
observation equivalence lends itself for statically detecting jams by reducing 
jam checking to timelock checking. In this way, our modelling in CaSE yields a 
model of coordination for synchronous component-based design, whose virtue is 
its compositional style for specifying and reasoning about DSPC systems and its 
support for the static capture of semantic properties of DSPC programs. Thus, 
CaSE provides a foundation for developing new-generation DSPC tools that offer 
the compositional, static analysis techniques desired by engineers. 

2 An Example of DSPC Design 

Our motivating example is a digital spectrum analyser whose hierarchical signal- 
flow graph is sketched in Fig. 1. The task is to analyse an audio signal and 
continually show an array of bar-graphs representing the intensity of the sig- 
nal in disjoint sections of the frequency range. Our spectrum analyser is de- 
signed with the help of components Soundcard, Const, Element and BarCraph. 
Each instance cl, c2, ... of Element, written as cfc:Element or simply ck, for 
k = 1,2, ... , is responsible for assessing the intensity of one frequency range, 
which is then displayed by component instance dfc:BarCraph. The first input 
port eifci of cfc:Element is connected to the output port so of the single in- 
stance sO: Soundcard, which generates the audio signal and provides exactly one 
audio value each time it is scheduled. As can be seen by the wire stretching from 
output port cofe to input port eifc 2 , cfc:Element is also connected to instance 
sfc:Const of component Const, which initialises cfc:Element by providing Alter 
parameters when it is first scheduled. In contrast to components Soundcard and 
Const, Element is not a basic but a hierarchical component. Indeed, every ck en- 
capsulates one instance of Filter, cfcl:Filter, and one of Quantise, c/c2: Quantise, 
as shown in Fig. 1 on the right-hand side. 

Scheduling. According to IRO scheduling, our example application will be se- 
rialised as follows within each IRO-cycle. First, each source component instance 
gets the chance to execute. In the first cycle, this will be sO:Soundcard and all 
sfc:Const, which will be interleaved in some arbitrary order. In all subsequent 
cycles, only sO:Soundcard will request to be scheduled, since sfc:Const can only 
produce a value once. Each produced sound value will be instantaneously prop- 
agated from output port so of sO to the input port ei^i of each cfc:Element, for 
all fc > 1, according to the principle of isochronic broadcast discussed below. 
The scheduler then switches to scheduling computation components. Since all 
necessary inputs of each ck are available in each IRO-cycle, every ck will re- 
quest to be scheduled. The scheduler will serialise these requests, each ck will 
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Fig. 1. Example: Digital spectrnm analyser 



execute accordingly, and the synthesised frequency-strength signal will be emit- 
ted by component cfc2:Quantise via port qo^, and propagated by ck through 
port ebfc. Upon reception of this signal by d/c:BarGraph at port gifc, this com- 
putation component instance will also request to be scheduled and, according to 
the synchrony hypothesis, granted execution within the same IRO-cycle. When 
all components dfc have executed, the current IRO-cycle ends since these do not 
generate outputs that need to be propagated to the system environment. 

It is important to note that, since each ck encapsulates further computation 
component instances, its execution is non-trivial and involves a sub-scheduler 
that will schedule c/cl:Filter and c/c2:Quantise in such a way that an RO-cycle of 
these instances will appear atomic outside of ck. This ensures that the scheduling 
of the inner cfcl and ck2 will not be interleaved with the execution of any sibling 
instance cl of ck, for I k, or any component instance dk. 

Isochronic Output. Whenever sO:Soundcard is scheduled in our example sys- 
tem, it generates an audio signal whose value is propagated via a wire from 
port so, which forks to port eifcl of each instance cfc:Element, for A: > 1. In order 
for the array of bar-graphs to display a consistent state synchronous with the 
environment, all ck must have received the new value from sO:Soundcard before 
any cbElement may be scheduled. Thus, sO:Soundcard and all c/c:Element, for 
A; > 1, must synchronise to transmit sound values instantaneously. This form 
of synchronisation is called isochrony [6] in hardware, where it is the weakest 
known synchronisation principle from which non-trivial sequential behaviour can 
be implemented safely, without internal real-time glitches. 

Jams. Let us now consider what happens if instances sO:Soundcard and sl:Const 
are accidently connected the wrong way around, i.e., output port so is con- 
nected to input port eii 2 , and output port cbi of sl:Const to input port ein of 
cl:Element. Recall that cll:Filter within cl:Element will only read a value, an 
initialisation value, from port eii 2 in the first IRO-cycle and never again after- 
wards. Thus, when the value of sO:Soundcard produced in the second cycle is 
propagated to port eii 2 and further to fii 2 , the system jams. This is because the 
value that has been produced in the second IRO-cycle and stored at this latter 
port, has not yet been read by clUFilter. Observe that a jam is different from 
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a deadlock; indeed, our example system does not deadlock since all instances of 
Element other than cl:Element continue to operate properly. 

3 CaSE: Calculus for Synchrony and Encapsulation 

This section presents our process calculus CaSE, which serves as a framework 
for deriving our formal model of coordination for DSPC design in Sect. 4. The 
purpose here is not to develop yet another process algebra, but to tailor sev- 
eral well-studied semantic concepts for addressing a specific application domain. 
CaSE is inspired by Hennessy and Regan’s TPL [7], which is an extension of 
Milner’s CCS [12] with regard to syntax and operational semantics. In addition 
to CCS, TPL includes (i) a single abstract clock a that is interpreted not quanti- 
tatively as some number, but qualitatively as a recurrent global synchronisation 
event; (ii) a timeout operator [PJct(Q), where the occurrence of cr deactivates 
process P and activates Q; (iii) the concept of maximal progress that imple- 
ments the synchrony hypothesis by demanding that a clock can only tick within 
a process, if the process cannot engage in any internal activity r. 

CaSE further extends TPL by (i) allowing for multiple clocks a,p, . . . as in 
PMC [1] and CSA [3], while, in contrast to PMC and CSA, maintaining the global 
interpretation of maximal progress; (ii) explicit timelock operators A and Aa- 
that prohibit the ticking of all clocks and of clock a, respectively; (iii) clock- 
hiding operators P/a that internalise all clock ticks a of process P. Clock hiding 
is basically hiding as in CSP [8], i.e., hidden actions are made non-observable. In 
combination with maximal progress, this has the important effect that all inner 
clock ticks become included within the synchronous cycle of an outer clock. 
This is the essence of synchronous encapsulation, as is required for modelling 
isochronous broadcast and the subsystems-as-components principle. Finally, in 
contrast to TPL and similar to CCS and CSA, we will equip CaSE with a 
bisimulation-based semantic theory [12]. 

Syntax and Operational Semantics. We let A = {a, 6, . . . } be a countable set 
of input actions and A = {a, 6, . . . } be the set of complementing output actions. 
As in CCS [12], an action a communicates with its complement d to produce 
the internal action r. The symbol A denotes the set of all actions AU AU {t}. 
Moreover, CaSE is parameterised in a set T = {<J, p, . . . } of abstract clocks, or 
clocks for brief. The syntax of CaSE is defined by the following BNF : 

P ::= 0\A\A,,\x\a.P\ P+P \ P\P \ P\L \ P/a \ lP\a{P) \ px.P , 

where a; is a variable taken from some countably infinite set, and L Q A \ {r} is 
a restriction set. Further, we use the standard definitions for static and dynamic 
operators, free and bound variables, open and closed terms, and guarded terms. 
We refer to closed and guarded terms as processes, collected in the set V. For 
convenience, we write L for the set {a | a G L}, where d =df a, and x‘= P for the 
process px.P. 

The operational semantics of a CaSE process P is given by a labelled transi- 
tion system {V, AUT, — >■, P), where V is the set of states, AUT the alphabet. 
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Act 

Suml 

Sum2 

Res 

Pari 

Par2 

Par3 

Hid 

TO 

Rec 



a.P A P 
P^ P' 

P + Q 4 P' 

Q4 Q' 

P + Q 4 g' 

P ^ P’ 

P\L 4 P'\L 
P A P' 

p|g4P'|g 
Q4 Q' 
p|g4p|g'_ 
p 4 p' g 4 g' 
p|g4P'|g' 

p ^ p' 

P/g 4 P>/g 
p ^ p' 
LPJa(g)4P' 
P[nx.P/x] 4 P' 
/rx.P 4 P' 



Table 1. Operational semantics of CaSE 

■ a ^ T 



tAct 

tNil 

tSum 

a ^ Lu L tRes 



a.P — >■ a.P 



tPar 

tffidl 

tHid2 

tTOl 

tT02 

tRec 



0 4 0 

p4p' g4g' 
p + g 4 P' + g' 

p ^ p' 

P\L 4 P'\L 
p^ p' g 4 g' 
p|g4p'|g' 

p ^ p' 



tStall 



■cr / p 



p|g4 



P/cr 4 P/g 

pAp' 
p/g 4 P'/g 



G^P,P^ 



p4 



[Pja(g)4g 

p 4 p' 

LPJa(g) 4 
P[px.P/a:] 4 P' 

fix.P 4 P' 



cr / p 



— > the transition relation and P the start state. We refer to transitions with 
labels in A as action transitions and to those with labels in T as clock transi- 
tions. The transition relation — >■ C P x (4 U T) x P is defined in Table 1 using 
operational rules. We write 7 for a representative of 4UT, as well as P 4 P' for 
(P, 7, P') G — >• and P 4 for 3P' G P. P 4 P'. Note that, despite the negative 
side conditions of some rules, the transition relation is well-defined for guarded 
processes. Our semantics obeys the following properties, for all clocks ct G T: 
(i) maximal progress, i.e., P — >■ implies P4i (ii) time determinacy, i.e., P ^ P' 
and P 4 P" implies P' = P". It is time determinacy that distinguishes clock 
ticks from CSP broadcasting [8]. 

Intuitively, the nil process 0 permits all clocks to tick, while the timelock 
processes A and A^ prohibit the ticking of any clock and of clock cr, respectively. 
Process a.P may engage in action a and then behave like P. If a yf r, it may 
also idle for each clock cr; otherwise, all clocks are stopped, thus respecting 
maximal progress. The summation operator denotes nondeterministic choice, 
i.e., process P Q may behave like P or Q. Because of time determinacy, time 
has to proceed equally on both sides of summation. Process P\Q stands for the 
parallel composition of P and Q according to an interleaving semantics with 
synchronised communication on complementary actions resulting in the internal 
action r. Again, time has to proceed equally on both sides of the operator, 
and the side condition of Rule (tPar) ensures maximal progress. The restriction 
operator \L prohibits the execution of actions in L U P and thus permits the 
scoping of actions. The clock-hiding operator /a within a process P/a turns 
every tick of clock ct in P into the internal action r. This not only hides clock cr 
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but also pre-empts all other clocks ticking in P at the same states as a, by 
Rule (tHid2). Process [P\a{Q) behaves as process P, and it can perform a a- 
transition to Q, provided P cannot engage in an internal action as is reflected 
in the side condition of Rule (tTOl). The timeout operator disappears as soon 
as P engages in an action transition, but persists along clock transitions. Finally, 
/XX. P denotes recursion and behaves as a distinguished solution of the equation 
X = P. 

Our interpretation of prefixes a.P adopted above, for a yf r, is relaxed [7], 
i.e., we allow this process to idle on clock ticks. In the remainder, insistent pre- 
fixes a.P [1], which do not allow clocks to tick, will prove convenient as well. 
These can be expressed in CaSE by a.P=dfa.P-\-A. Similarly, one may define a 
prefix that only lets clocks not in T tick, for T C T, by arp.P =df a.P-\-AT, where 

=df usual, ^ denotes the indexed version of operator -h, with 

the empty summation understood to be process 0 . For convenience, we abbrevi- 
ate [Ojcr(P) by (7.P, and [Z\Jcr(P) by ct.P. We also write P/{(Ti, (J 2, . . . , (Jk) for 
Pfoxlai ■ ■ ■ fuk, if the order in which clocks are hidden is inessential. Moreover, 
for finite A C M\{t} and process P, we let A.P stand for the recursively defined 
process if A yf 0 and P, otherwise. Finally, instead of rela- 

belling as in CCS [12] we use syntactic substitution, e.g., P[a' / a,b' /b] relabels 
all occurrences of actions o, a, b,b in P by o', o', b' , b', respectively. 

Temporal Observation Equivalence and Congruence. This section equips 
CaSE with a bisimulation-based semantics [12]. For the purposes of this paper 
we will concentrate on observation equivalence and congruence. The straightfor- 
ward adaptation of strong bisimulation to our calculus immediately leads to a 
behavioural congruence, as can easily be verified by inspecting the format of our 
operational rules and by applying well-known results for structured operational 
semantics [16]. Observation equivalence is a notion of bisimulation in which any 
sequence of t’s may be skipped. For 7 G M U T we define y=df e if 7 = r and 
7 =df 7, otherwise. Further, let =df — >■ and P P if there exist processes P 

and P'" such that P P" 4 P'" 4 P'. 

Definition 1. A symmetric relation TZ Cf P x V is a temporal weak bisimula- 
tion if P ^ P' implies 3Q'.Q Q' and {P',Q') G TZ, for every (P,Q) G TZ 
and for 7 G AuT. We write P ^ Q if (P, Q) € TZ for some temporal weak 
bisimulation TZ. 

Temporal observation equivalence « is compositional for all operators except 
summation and timeout. However, for proving compositionality regarding par- 
allel composition and hiding, the following proposition is central. 

Proposition 1. If P ks Q and P P' , then 3Q' , Q" , Q'" . Q^Q" -A Q"'^Q' , 
Pk.Q", P' K.Q' and {7 G M U T ] p4} = {7 G M U T ] Q"4}. 

The validity of this proposition is due to the maximal-progress property in CaSE. 
To identify the largest equivalence contained in «, the summation fix of CCS is 
not sufficient. As in other work in temporal process algebras [3], the deterministic 
nature of clocks implies the following definition. 
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(a) Source Component Interface (SIF) (b) Computation Component Interface (CIF) (e) Isochronic Fork (IsoFork) 

r t r t 




(c) Wrapped Source Component (WSC) (d) Wrapped Computation Component (WCC) (f) Encapsulation Interface (EIF) 



ft o rt ft o rt r t 




Fig. 2. Illnstration of our modelling toolbox 



Definition 2. A symmetric relation TZ 'Z V x V is a temporal observation 
congruence if for every (P, Q) € TZ, a € A and a € T: 

1. P Af p' implies 3Q' . Q A' Q' and P' « Q' . 

2. P P' implies 3Q' . Q Q' and (P', Q') G TZ. 

We write P ^ Q if (P,Q) G TZ for some temporal observation congruence TZ. 



Theorem 1. The equivalence ~ is the largest congruence contained in 

CCS [12] can be identified in terms of syntax, operational semantics and bisimu- 
lation semantics as the sub-calculus of CaSE that is obtained by setting T = 0. 

4 A Synchronous Coordination Model with Encapsulation 

This section presents our model of coordination for DSPC applications on the 
basis of our process calculus CaSE. As illustrated in Fig. 2 we will successively 
model the key ingredients of a DSPC application: the behaviour of its source 
and computation components towards its environment (Figs. 2a, b), a compo- 
sitional version of the centralised scheduler which is distributed to ‘wrap’ each 
component instance (Figs. 2c, d), the application’s isochronous forks connecting 
output and input ports (Fig. 2e), and the facility to encapsulate several compu- 
tation components (Fig. 2f). Having these ingredients at hand, a CaSE model 
of a DSPC application can then be built systematically along the structure of 
hierarchical signal-flow graphs, which we will illustrate by way of the digital- 
spectrum-analyser example introduced in Sect. 2. A particular emphasis will be 
given on showing how our modelling may facilitate static jam analysis. 
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4.1 Component Interfaces 

A component interface describes the interaction of a source component or a ba- 
sic computation component, which does not encapsulate a subsystem, with its 
environment via its ports (cf. Figs. 2a, b). These ports include a component’s 
output ports, O = {oi, . . . ,o„}, for n > 0, and, in case of a computation com- 
ponent, its input ports, I = {ii, .. . , imj, for m > 1. Note that we abstract from 
values carried by signals through ports. In addition, each component interfaces 
to the system scheduler via port r, over which a component sends request-to-be- 
scheduled messages, and port t via which a token is passed between the scheduler 
and the component, with the intention that a component can go ahead with its 
computation of output signals whenever it holds the token. 

Formally, source and computation component interfaces are processes speci- 
fied in the following CCS sub-languages of CaSE, where i G I and o G O: 



Source Component Interface 

SR ::= r.i.r.SO 

SO ::=o.SO I SO -t SO I t.SIF 



Computation Component Interface 
GIF ::= 0 I a: I Cl I px.Cl 
Cl i.CI I Cl + Cl I i.CR 
CR ::= f.t.T.CO 
CO ::= o.CO I CO -t CO I i.CIF 



Intuitively, after reading its inputs in case of a computation component, a com- 
ponent instance (i) requests to be scheduled (action f), (ii) waits for receiving the 
scheduler’s token (action t), which indicates that the request has been granted 
and ensures serialisation on the underlying single processor, (iii) computes the 
output signal values (internal action r) , (iv) outputs these signal values over the 
corresponding output ports, and (v) returns the token to the scheduler (action t). 
The interfaces of the source and basic computation component instances of our 
example system can then be specified as follows: 



SIF,o = r.t.r.^.t.SlFso 
CIFcfci fiki.fik2.r.t.T.f^k-i-ClKki 

Hpf — ... 

CIFcfc2 = qik-r.t.T.qOf,.t.CWck2 



SIF.fc = f.t.T.cdk.t.O 
CIF(,i fiki.r.t.T.J^,.i.CIF',,, 

CIFdfc =%ik.r.t.T.t.ClFdk 



Note that s/c:Const produces an output so during the first cycle only, while 
cfc:Element reads an input from port fi^i during the first cycle only, as desired. 



4.2 Component Instances and Scheduling 

As seen above, a component uses its ports r and t to negotiate its execution with 
a scheduler. From the point of view of the component, it does not matter whether 
it communicates with a centralised or a distributed scheduler. In this section we 
develop a concept of wrappers for harnessing component instances with enough 
local control so they participate coherently in a global IRO-scheduling scheme, 
without the presence of a global scheduler (cf. Figs. 2c, d). Indeed all wrappers 
added together will represent a distributed version of an imagined central IRO 
scheduler. 

Before introducing our distributed scheduler we present, for reference, an 
abstract model of the global centralised scheduler, as employed in the DSPC tool 
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iConnect [15]. It uses an abstract clock cr that reflects the phase clock inherent 
in IRO scheduling. This clock organises the strict alternation between source 
and computation phases and, by way of maximal progress, implements run-to- 
completion within each phase. The global scheduler is defined via the following 
two sets of process equations, namely CSC that models the computation phase 
and CSS that models the source phase. They are stated relative to the sets S of 
source component instances and C of computation component instances within 
the signal-flow graph under consideration. 

CSC(1T, cr) [C(lT,cr)Jcr(CSS(0,0,cr)) 

C{W,a) ^ r,.CSC(lTU{c},a)) + t,.G_^.CSC(lT\{c}, a)) 

cGC\W c£W 

CSS{W,D,a) [S(W,D,cr)Jcr(CSC(0,cr)) 

S{W, D, a) ^ r,.CSS(lTU{s}, D, a)) + ( ^ C.G^.CSS(lT\{s}, DU{s}, a)) 

se5\(wuD) sew 

The process equations are parameterised in the phase clock a, as well as the 
set W of component instances that are waiting for their scheduling request to be 
granted and the set £> of source component instances that have already executed 
during the current source phase. Recall that each source component instance 
can execute at most once during each source phase, while each computation 
component instance may execute several times during a computation phase. 
While there are component instances that request to be scheduled or wait for 
being scheduled, the scheduler remains in the current phase, as is enforced by 
maximal progress. Otherwise, the phase clock may tick and switch phases. 

To distribute this centralised scheduler over each component instance, all we 
assume is that the single embedded processor, on which the DSPC application is 
scheduled, provides some facility to ensure mutual exclusion. This may be mod- 
elled via a single token that the processor passes on to the component instance 

dsf — 

that may execute next: CPUtoken = /f.rt.CPUtoken, where ft stands for fetch 
token and rt for release token. Now, we may define the wrapping of computation 
and source component instances via meta-processes WCC and WSC, respec- 
tively. They are parameterised in the computation (source) component interface 
CIFc (SIFs) of a given computation (source) component instance c (s), as well 
as in the phase clock a. 

Aof Hof - 

WCC(CIFc,cr) = (CIFc I CW(a))\{r,t} CW(cr) = [r./t.t.t^.rt.CW(a)Ja(cr.CW(cr)) 
WSC(SIF«,cr) =^(SIF, I cr.SW(cr))\{r,t} SW(a) ='[r./t.t.t^.rt. 0 -.cr.SW(cr)Jcr(cr.SW(cr)) 

Consider process WCC(CIFc, cr), which runs the wrapping process CW(ct) along- 
side the computation component interface CIFg. Both synchronise via the now 
internalised channels r and t. If the component instance c signals its desire to 
be scheduled via a communication on channel r, the wrapping process CW(ct) 
waits until it may fetch the CPU token (action ft), passes on the token via the 
internal channel t, waits until the token has been passed back via the same chan- 
nel, i.e., until the execution of c is complete, and then surrenders the token to 
the CPU (action rt). If no computation component instance wishes to be sched- 
uled, process CW (cr) may time out, thus allowing the overall system to switch to 
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the source phase. In this state, component instance c must wait until the clock 
ticks again, i.e., until the scheduling has returned to the computation phase. The 
behaviour of WSC(SIFs, cr) wrapping source component instances is similar, ex- 
cept that those may only be scheduled once during each source phase. Thus, 
the source wrapper process SW(ct) makes sure that two clock ticks have to pass 
before a request of the wrapped source component instance is considered again. 
Moreover, note that the initial cr-prefix in front of the wrapping process SW(ct) 
ensures that the first source phase begins with the first ticking of a. The fol- 
lowing theorem shows that our compositional approach to scheduling coincides 
with the centralised one, where Ilk^KPk stands for the parallel composition of 
processes Pk, for a finite index set K. 

Theorem 2. Let S (C) he a finite set of source (computation) components with 
interfaces SIFg (CIFc), for s € S (c € C), let a be the phase clock, and let 
R=df{rs,ts I s G 5} U {rc,tc | c G C}. Then 

(77^65 WSC{SIFs, a) \ nc<.c WCC{CIF^, a) \ CPUtoken)\{ft, rt} ~ 
{LIs(^sSIFs[rs/r,ts/t] \ IIcecCIFc[rc/r,tc/f\ \ CSC{9,cr)))\R . 



4.3 Isochronic Forks 

Before encoding isochronous forks in CaSE we present their naive modelling 
in CCS. To do so, we introduce a new output prefix b; P and assume that 
output port b shall be connected to input ports / = {ii,i2,... ,im} via an 
isochronic fork, as sketched in Fig. 2e. We need to ensure that the signal trans- 
mitted via b reaches all ik, for l<z<m, before process P executes. To model 
this, we define b; P =di0.fo-P and ForkWire(b, 7)=dfO././Q.ForkWire(b, I). Here, 
ForkWire(b, I) models the forking wire between port b and the ports in I. This 
wire distributes messages from the output port to all input ports and, once 
finished, signals this via the distinguished action f^. The sending process o; P 
has to wait for synchronisation on /o before it can proceed with P, whence en- 
suring isochrony. While this solution is feasible, it requires that the number of 
intended recipients of a broadcasted signal is fixed up front and cannot grow as 
components are added to a signal-flow graph. 

To overcome this problem we employ isochronic wires that connect the out- 
put port with exactly one input port, and use a fresh clock under maximal 
progress for synchronisation between sender and receivers of a broadcast signal. 
In analogy to the above we define the new isochronic output prefix o'.P =d{Co,p 

def 

with Co,p = [o.Co,p\(Jo{P) and an isochronic wire connecting b to input port i 
by IsoWire(b, z) =df q^^.icro-2io-IsoWire(b, z). Thus, for a broadcast request b, an 
arbitrary number of copies of the signal will be communicated on b until clock CTo, 
which defines the isochronous instant in which the communication occurs, ticks 
and ends that instant. Because of maximal progress, (Tq can only tick when 
there are no further receivers listening on o. In this way signal b obtains maxi- 
mal distribution, and one can add further receiving ports j later on by simply 
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including a new isochronic wire from d to j without having to change the ex- 
isting model. The following theorem shows that our compositional approach to 
isochronic broadcast faithfully models isochronous forks. 

Theorem 3. Let o G A, I Cfi„ A and P G V. Then 

{d:P\IIi^iIsoWire{d,i))\{o}/cro ~ {o;P \ ForkWire{o, I))\{o, fo} \ . 

The parallel component caters for the fact that the clock hiding operator / CTo 
eliminates clock (Tq. From now on we assume that all action prefixes o.P refer- 
ring to the output ports of our component interfaces are replaced by isochronic 
ones o:P, e.g., SIFgo becomes r.t.r.sdit.SIFgo. 

Note that isochronous wiring cannot be modelled faithfully and composition- 
ally in Hoare’s CSP [8] or Prasad’s CBS [13]. While the broadcasting primitive 
in CSP ignores the direction in which information is propagated, the one in CBS 
does not force receivers to synchronise with the sender. 



4.4 Encapsulation 

Hierarchical signal-flow graphs allow system designers to encapsulate sev- 
eral interconnected computation components, i.e., a subsystem, into a sin- 
gle computation component. As depicted in Fig. 2f, a subsystem is a tuple 
(Ce,We,I,0,Wi,Wo) that consists of (i) a finite set Cg C C of computation 
components, with disjoint sets of input ports A and sets of output ports Oe, 
(ii) a set of internal isochronic wires connecting output ports in Oe with in- 
put ports in A, (iii) a set of input ports I = {ii,... ,im}, (iv) a set of 
output ports O = {oi,... ,o„}, (v) a set Wj C J x Jg of isochronic wires 
connecting the input ports of the subsystem with the input ports of the en- 
capsulated components, and (vi) a set Wq C Og x O of isochronic wires 
connecting the output ports of the encapsulated components with the out- 
put ports of the subsystem. In the example of Fig. 1 we have cfc:Element = 
({cfcl:Filter,cfc2:Quantise},{(fOfe,qifc)},{eifei,eife2},{ebfc},{(eifci,flfci),(eifc2,flfe2)}, 
{(qO;.,eOfc)}). The CaSE model of this subsystem is given by 

Elementfc(ag) (JTggCe WCC'(CIFg, | iI(^,.i,>6WeIsoWire(dg, ie) | 

^f<i,ie>ew^IsoWire(i, ig) | iI(o„,o)gw.g,IsoWire(dg, o))\7e\Oe/o-Oe , 

where ao^ =df{o’oe | OgSOg} contain the clocks governing the encapsulated isoch- 
ronic wires. Also, WCC'(CIFg, CTg) =^(CIFg | CW'(cTg))\{r, t} is an updated ver- 

def — 

sion of our instantiation wrapper given in Sect. 4.2, with CW'((Te) = \ 
rt.CW'((Tg)-|-fg./t.t.t^^.rt.CW'(crg))J crg((Tg.CW'((Te)). As subsystems must be ex- 
ecuted atomically, the first encapsulated computation component that is ready 
to execute needs to request the mutual-exclusion token from its environment 
(action fg), i.e., from the subsystem at the next higher hierarchy level. Our 
modelling of encapsulation must then ensure that the token is only passed up to 
the environment once all computation components within the subsystem, which 
are able to execute, have actually executed. This is achieved via an encapsu- 
lation wrapper EW(SS, I, O, (Xg) that is parameterised in the CaSE model SS 
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of the subsystem under consideration, with input ports /, output ports O and 
subsystem clock ag. The encapsulation wrapper essentially translates back the 
scheduling interface {ft, rt, ag} into {r, t}, which is the scheduling interface of a 
basic component. 

EW(SS, I, O, <7e) = (SS[i'i/ii, . . . , i'm/im., o{/oi, , o^/o^] | EI(1, Gg) \ E0(0, Gg)) 

\{il, . . . , Oi, • • • 5 ^e} j(yi j (^e. 

EI(/,ae) = ;^i.r:EI(/,ae) + .El'(7, 

i€l 

El'{I,Gg) lTt.rt.Er{I,Gg)\Gg{t^^.El{I,Gg)) 

E0(0, Gg) ^ o.o:EO{0, Gg) , 

oSO 

where all i' , for i G I, and o' , for o G O, are fresh port names not used in SS, 
and where u/ =dt{CTi | iGl}. The wrapper process EI(/, Og) propagates all input 
signals entering the subsystem to the desired receiving components, within the 
same cycle of the subsystem clock Og. Once an inner component requests to be 
scheduled (action Vg), the wrapper process forwards this request via port f to 
the next upper hierarchy level and waits for the token, indicating granted access 
to the embedded processor, to be passed down via port t. In this state, the en- 
capsulation wrapper essentially behaves as process CPUtoken has done before, 
i.e., engaging in a communication cycle between ports ft and rt, until no further 
encapsulated component wishes to execute, i.e., until clock Og triggers a timeout 
and the token is passed back up (action t). The outputs produced by components 
within the subsystem are instantaneously propagated to the subsystem’s envi- 
ronment via the parallel process E0{0, Gg), which is part of the encapsulation 
wrapper. Note that our encapsulation wrapper hides the inner clock Gg, whose 
ticking thus appears like an internal, unobservable computation, from the point 
of view of components outside the subsystem under consideration. The following 
theorem puts the subsystems-as-components principle on a formal footing. 

Theorem 4. Let SS be the CaSE model of a subsystem {Cg,Wg,1 ,0 ,Wj ,W q) 
using Gg as subsystem clock. Then, there exists a computation component c 
with input ports I, output ports O and component interface CIFg such that 
EW{SS, I, O, Gg) « EW{ WCC{CIEg,Gg),I, O, Gg) \ Z\.,u.Oe • 

We now have all tools of our DSPC modelling toolbox to complete the overall 
CaSE model DSA(p) of the digital spectrum analyser of Fig. 1, under phase 

clock p and given the component interfaces provided in Sect. 4.1: DSA(p) 
(WSC(SIF,o,p) I 

77fc>i(WSC(SIFsfc,p) I WCC(EW(Element4<jfc), {eifci,eifc 2 }, {eok},Gk),p) \ 

WCC(CIFdfc, p) I IsoWire(so, eifci) | IsoWire(cofc, eifc 2 ) | IsoWire(eofc, gifc)) 
)\{cofc,eifci,eh 2 ,eofc,gifc | fc>l}\{so}/{o-cos,, Ceos, | fc>l}/<Tso 

Observe that our modelling proceeds along the structure of the hierarchical signal- 
flow graph of Fig. 1. 
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4.5 Jam Analysis. A jam occurs when an output signal value produced by 
one component cannot be consumed by an intended receiving component within 
the same IRO-cycle. In current DSPC tools, jams are detected by the run-time 
system; upon detection of a jam, a DSPC application is simply terminated. 

In our model of coordination we will encode jams in such a way that a 
jam manifests itself as a timelock regarding the overall system clock p. Such a 
timelock will occur when an isochronic wire is unable to pass on the value it holds. 
This can be achieved by modifying processes IsoWire(b, i) throughout, such that 
clock p is stopped when the wire already stores a signal value but has not yet been 
able to pass it on to port i; formally, IsoWire(b, i) =df .ao.IsoWire(b, i). 

Consequently, the local ‘jam’ condition is turned into a timing flaw, which is a 
global condition that stops the complete system, as desired. The next theorem 
makes this mathematically precise; note that our model of coordination of a 
DSPC system does not possess any infinite r-computations, as long as the system 
does not contain some computation components that are wired-up in feedback 
loops in which these components continuously trigger themselves. 

Theorem 5. Let P he a process that possesses only t- and p-transitions and no 
infinite r-computations, and let Check = dfpx.'iA\p{x). Then P « Check if and 
only if $P' $s G {r, p}*. P 4 P' ^ . 

Hence, when considering that our model of coordination for an arbitrary hierar- 
chical signal-flow graph can be automatically constructed from the flow graph’s 
given component interfaces, one may statically check for jams by employing 
well-known algorithms for computing temporal observation equivalence [4]. 



5 Related Work 

To the best of our knowledge, our process-algebraic model of coordination is 
the first formal model of the synchronous and hierarchical scheduling disci- 
pline behind DSPC tools. It complements existing work in distributed object- 
oriented systems and in architectural description languages. There, the focus is 
on distributed software rather than on embedded centralised systems, and con- 
sequently on asynchronous rather than on synchronous component behaviour. 

In object-oriented systems, process-algebraic frameworks have been studied, 
where processes model the life-cycle of objects [14]. Within these frameworks, 
one may reason at compile-time whether each invocation of an object’s method 
at run-time is permissible. This semantic analysis is different from jam analysis 
in DSPC applications, but similar to the compatibility analysis of interface au- 
tomata [5], which we will discuss below. In architectural description languages, 
the formalism of process algebra has been studied by Bernardo et al. [2]. Their 
approach rests on the use of CSP-style broadcast communication together with 
asynchronous parallel composition. Like in our application domain of DSPC 
design, the intention is to identify communication problems, but these are di- 
agnosed in terms of deadlock behaviour. As illustrated earlier, deadlock is a 
more specific property than the jam property investigated by us: a jam in one 
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component jams the whole system, but a deadlock in one component does not 
necessarily result in a system deadlock. 

From a practical point of view we envision our model of coordination based 
on the process calculus CaSE to play the role of a reactive-types language. This 
would enable designers to specify the intended interactions between a given com- 
ponent and its environment as a type, and permit tool implementations to reduce 
type checking to temporal observation-equivalence checking. This idea is some- 
what similar to the one of behavioural types in the Ptolemy community [11]. 
Behavioural types are based on the formalism of interface automata [5] and 
employed for checking the compatibility property between components. How- 
ever, interface automata are not expressive enough to reason about jams, which 
Ptolemy handles by linear-algebra techniques for the restricted class of syn- 
chronous data-flow (SDF) models. In contrast, CaSE’s semantic theory is more 
general than SDF and lends itself to checking jams at compile-time. 

6 Conclusions and Future Work 

This paper presented a novel compositional model of coordination for the syn- 
chronous component-based design of and reasoning about DSPC applications. 
We demonstrated that the semantic concepts underlying the IRO principle of 
DSPC tools, namely dynamic synchronous scheduling, isochrony and encapsu- 
lation, can be captured by uniformly combining the process-algebraic concepts 
of abstract clocks, maximal progress and clock hiding, which have been studied 
in the concurrency-theory community. The standard notion of temporal obser- 
vation equivalence then facilitates the desired static reasoning about jams in 
DSPC applications. Future work should integrate our work in DSPC tools in 
the form of a reactive-types system. A prototype written in Haskell is currently 
being implemented in Sheffield. 

Acknowledgements. We thank the anonymous referees, as well as Ranee Cleave- 
land and Matt Fairtlough for their valuable comments and suggestions. 
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Abstract. We develop a new notion of approximation of labelled 
Markov processes based on the use of conditional expectations. The key 
idea is to approximate a system by a coarse-graining of the state space 
and using averages of the transition probabilities. This is unlike any of the 
previous notions where the approximants are simulated by the process 
that they approximate. The approximations of the present paper are cus- 
tomizable, more accurate and stay within the world of LMPs. The use of 
averages and expectations may well also make the approximations more 
robust. We introduce a novel condition - called “granularity” - which 
leads to unique conditional expectations and which turns out to be a key 
concept despite its simplicity. 



1 Introduction 

Labelled Markov Processes (LMPs) are probabilistic transition systems where 
the state space might be any general measurable space, in particular this includes 
situations where the state space may be continuous. They are essentially tradi- 
tional discrete-time Markov processes enriched with the process-algebra based 
notion of interaction by synchronization on labels. These have been studied in- 
tensively in the last few years ([6,7,8,15]). This is because they embody simple 
probabilistic interactive behaviours, and yet are rich enough to encompass many 
examples and to suggest interesting mathematics. 

The initial motivation was the inclusion of continuous state spaces with a 
view towards eventual applications involving stochastic hybrid systems. An un- 
expected benefit of this additional generality has been the discovery that a simple 
temporal probabilistic logic, Lq, captures a natural notion of equivalence be- 
tween such processes, namely strong bisimulation. Remarkably this logic needs 
neither infinite conjunction, even though the systems may have even uncount- 
able branching, nor negation nor any kind of negative construct (like the “must” 
modality). With this logical view, it became natural to think of the interplay 
between discrete structures (the logic) and the continuous mathematics of LMPs 
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(measure and probability theory). This led to the important question of under- 
standing what it means to be an approximation of a given LMP and especially 
of a “finite” approximant. 

The approximation theory has developed along two lines. Desharnais et. al. [7] 
have developed a metric between LMPs which can be viewed as a “relaxation” of 
the notion of strong bisimulation. This metric can be used to say that one LMP 
“comes close to” behaving like another. The other direction was to develop a 
notion of “finite” approximant [8,9] and cast this in a domain theoretic setting. 
The papers just cited established that even a system with an uncountable state 
space could be approximated by a family of finite state processes. The family 
of approximants converge to the system being approximated in both metric and 
domain-theoretic senses. The approximations interact smoothly with the logic in 
the following sense. Any formulas of Cq that are satisfied by any approximant of 
P are satisfied by the process P itself and any formula satisfied by P is satisfied 
by some approximant. 

In a recent paper Danos and Desharnais [5] have developed a variant of the 
approximation that has two important advantages. First, the approximations 
can be “guided” by a family of formulas of interest. In other words, if there is a 
set of formulas of particular interest one can construct a specific finite approx- 
imant geared towards these formulas. One can then be sure that the process in 
question satisfied a formula of interest if and only if the approximant did. Second, 
a much more compact representation was used so that loops were not unwound 
and convergence was attained more rapidly. A disadvantage was that the ap- 
proximations obtained were not LMPs because the transition “probabilities” are 
not measures. Instead they were capacities [2]. Capacities are not additive but 
they have instead a continuity property and are sub (or super) additive. The 
variants of LMPs obtained by using capacities instead of measures are called 
pre-LMPs. 

In the present paper we show that we can have the best of both worlds in 
the sense that we can have the flexibility of a customizable approach to approx- 
imation and stay within the realm of LMPs. The approach is based on a radical 
departure from the ideas of the previous approaches [5,9]. In these approaches 
one always approximated a system by ensuring that the transition probabilities 
in the approximant were below the corresponding transition in the full system. 
Here we approximate a system by taking a coarse-grained discretization (pixel- 
lization) of the state space and then using average values. This new notion is not 
based on the natural simulation ordering between LMPs as were the previous 
approaches. 

Instead we use conditional expectation. This is a traditional construction in 
probability theory which given a probability triple {S, S,p) (sample space), a S- 
measurable random variable X (observation) and a sub-a algebra A (pixellization 
of the sample space), returns the conditional expectation of X with respect to 
p and A, written Ep(A|yl), which in some suitable sense is the ‘best’ possible A- 
measurable approximation of X. The best will prove to be enough in our case, in 
that conditional expectations will construct for us low-resolution averages of any 
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given LMP. Furthermore, an LMP will be known completely, up to bisimilarity, 
from its finite-resolution (meaning finite state) averages. 

Moreover the new construction gives closer approximants in a sense that 
we will have to make precise later. They are also likely to be more robust to 
numerical variations in the system that one wants to approximate, since they 
are based on averages. Of course this is a speculative remark and needs to be 
thrashed out in subsequent work. To summarize, the new approximants are 
customizable, probabilistic and more accurate and possibly more robust as well. 

Beyond the construction given here, we would like to convey the idea that 
probability theory and its toolkit - especially the uses of averages and expecta- 
tion values - are remarkably well adapted to a computationally-minded approach 
to probabilistic processes. It has a way of meshing finite and continuous notions 
of computations which is not unlike domain-theory. We expect far more inter- 
action in the future between these theories than what is reported here. Work 
on probabilistic powerdomains [12] and integration on domains [10,11] provides 
a beginning. Curiously enough the bulk of work in probabilistic process algebra 
rarely ever mentions averages or expectation values. We hope that the present 
paper stimulates the use of these methods by others. 

Outline. First we recall the definitions of our two basic objects of concern, LMPs 
and conditional expectations. Then we identify circumstances in which the con- 
ditional expectation is actually defined pointwise and not only “almost every- 
where”. We construct an adaptation of Lebesgue measure on any given LMP 
that will serve as the ambient probability which we need to drive the construc- 
tion home. With all this in place we may turn to the definition of approximants. 
We show they are correct both by a direct argument and by showing the precise 
relation in which they stand with the order-theoretic approximants given in [5] . 

2 Preliminaries 

2.1 Measurable Spaces and Probabilities 

A measurable space is a pair {S, S) where S' is a set and A C 2'^ is a a-algebra 
over S, that is, a set of subsets of S, containing S and closed under countable 
intersection and complement. Well-known examples are [0, 1] and R equipped 
with their respective Borel cr-algebras generated by the intervals which we will 
both denote by B. 

A map / between two measurable spaces {S,U) and {S' , S') is said to be 
measurable if for all Q' G S', f~^{Q') G S. Writing a{f) for the cr-algebra 
generated by /, namely the set of sets of the form f~^{Q') with Q' G S', one 
can rephrase this by saying a{f) C S. The set of measurable maps from {S, S) 
to (K, B) will be denoted mS. 

A subprobability on {S, S) is a map p : A — >■ [0, 1], such that for any countable 
collection (Q„) of pairwise disjoint sets in S, p(lj„ Q„) = J2nP(Qn)- An actual 
probability is when in addition p(S) = 1. The condition on p is called a-additivity 
and can be conveniently broken in two parts: 
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— additivity: p{Q U Q') = p{Q) + p{Q'), for Q, Q' disjoint, 

— continuity: VtQn G ^ '■ p(UQn) = sup„p((3n)-^ 

Let (S', S,p) be a probability triple, that is to say a measurable space (S, S) 
together with a probability p. A subset N C S is said to be negligible if there 
exists a, Q £ S such that N C Q and p{Q) = 0. 

We write Afp for p-negligible subsets. Two functions X,Y on (S, A, p) are said 
to be almost surely equal, written X = Y a.s., if {s G S | A(s) yf T(s)} G Afp. 
Sometimes we say p-a.s. equal if we wish to emphasize which measure we are 
talking about. 

The subset of mX consisting of the functions that are integrable with respect 
to p will be denoted by C^{S, S,p). A last piece of notation that we will use is 
to write A„fA when A„s and X are in mS, meaning that A„ < Xn+i with 
respect to the pointwise ordering and A„ converges pointwise to X. 

2.2 Labelled Markov Processes 

We need to define the objects of study: 

Definition 1 (LMP). S = {S, S,h : L x S x E ^ [0,1]) is a Labelled Markov 
Process (LMP) if{S,E) is a measurable space, and: 

— for all a G L, Q € E, h{a, s, Q) is E -measurable as a function of s; 

— for all s G S', h{a, s, Q) is a subprobability as a function of Q. 

Some particular cases: 1) when S is finite and E = 2^ we have the familiar 
probabilistic transition system, 2) when h{a, s, Q) does not depend on s or on a 
we have the familiar (sub)probability triple. An example of the latter situation is 
([0, 1],B, h) with h{a, s, B) = \{B) with A the Lebesgue measure on the collection 
B of Borel sets. 

Second we see that equivalently LMPs can be defined as follows: 

Definition 2 (LMP2). A Labelled Markov Process consists of a measurable 
space {S,E) and a family of E -measurable functions {h{a,Q))aeL,Qes with val- 
ues in [0, 1], such that: 

— additivity: for all disjoint Q, Q' : h{a, Q U Q') = h{a, Q) + h{a, Q'); 

— continuity: for all increasing sequence tQn' h{a,[JQn) = sup /i(a, (5„). 

From the definition follows that for all a, s one has h{a, S)(s) < 1. 

In this second definition we see an LMP as a A-indexed family of E- 
measurable functions, namely the random variables “probability of jumping to 
Q in one step labelled with a” , instead of an S'-indexed family of probabilities on 
E. Both definitions are related by h'{a,s,Q) = h{a,Q){s). The functions h, h' 
are commonly referred to as transition probability functions or Markov kernels 
(or stochastic kernels). 

In previous treatments [6] LMPs were required to have an analytic state 
space. This was needed for the proof of the logical characterization of bisimula- 
tion. We will not mention this again in the present paper since we will not need 
the analytic structure. In fact it is hard to give examples of spaces that are not 
analytic, let alone one that might be useful in an example. 

^ Where fQn denotes an increasing sequence of sets Q„, i.e., for all n, Qn G Q„+i. 
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2.3 Conditional Expectation 

The expectation Ep(X) of a random variable X is the average computed by 
f X dp and therefore it is just a number. The conditional expectation is not a 
mere number but a random variable. It is meant to measure the expected value in 
the presence of additional information. The conditional expectation is typically 
thought of in the form: “if I know in advance that the outcome is in the set 
Q then my revised estimate of the expectation is Ep(X) is Ep(Ar|Q).” However 
additional information may take a more subtle form than merely stating that 
the result is in or not in a set. 

The additional information takes the form of a sub-cr algebra, say A, of X. 
In what way does this represent “additional information”? The idea is that an 
experimenter is trying to compute probabilities of various outcomes of a random 
process. The process is described by {S,S,p). However she may have partial 
information in advance by knowing that the outcome is in a measurable set Q. 
Now she may try to recompute her expectation values based on this information. 
To know that the outcome is in Q also means that it is not in Q'^. Note that 
{0, Q, S} is in fact a (tiny) sub-cr-algebra of S. Thus one can generalize this 
idea and say that for some given sub-a-algebra Aof X she knows for every Q G A 
whether the outcome is in Q or not. Now she can recompute the expectation 
values given this information. 

How can she actually express this revised expectation when the cr-algebra A 
is large. It is presented as a density function so that for every H-measurable set B 
one can compute the conditional expectation by integration over B. Thus instead 
of a number we get a T-measurable function called the conditional expectation 
given A and is written Ep(_|/1).^ 

It is not at all obvious that such a function should exist and is indeed a 
fundamental result of Kolmogorov (see for instance [16], p.84). 

Theorem 1 (Kolmogorov). Let (S,X,p) be a probability triple, X be in 
£^{S, X,p) and A be a sub-a-algebra of X, then there exists aY G C'^{S,A,p) 
such that 

yBGA.f Xdp = [ Ydp. (1) 

J B J B 

Not only does the conditional expectation exist, but it has a lot of properties. 
As a functional of type: 

V.j,{_\A)-.C\S,X,p)^ C\S,A,p) 

it is linear, increasing with respect to the pointwise ordering and continuous in 
the sense that for any sequence (A„) with 0 < X^f X and X„, X G £^{S, X,p), 
then Ep(A„|yl) tEp(Ajyl) . . . but it is not uniquely defined ! 

^ Take note that, in the same way as Ep(A) is constant on S, the conditional expec- 
tation will be constant on every “pixel” or smallest observable set in A. In the above 
“tiny” snb-(T-algebra, this means constant on both Q and Q'^. This will tnrn ont to 
be exactly what we need later when pixels are defined by sets of formulas. 
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All candidate conditional expectations are called versions of the conditional 
expectation. It is easy to prove that any two yl-measurable functions satisfy- 
ing the characteristic property (1) given above may differ only on a set of p- 
probability zero. 



2.4 The Finite Case 



As we have said before, the basic intuition of Ep(A|A) is that it averages out 
all variations in X that are below the resolution of A, i.e. which do not depend 
on A. In particular, if X is independent of A, then Ep(A|yl) = Ep(A),^ and X 
is completely averaged out. On the other hand, if X is fully dependent on A, in 
other words if X is yl-measurable, then Ep(A|yl) = XA 

Actually this intuition is exact in the case that the sample space S is finite. We 
may suppose then that X = 2^ , and A will be generated by a set of equivalence 
classes. But then Y = Ep(A|A) has to be constant on equivalence classes (else it 
is not A-measurable) and by the characteristic property, with B an equivalence 
class [s], we get: 



y(s).p([s]) = [ Ydp= [ xdp=Y. 

tew 



where is the characteristic function of the measurable set [s]. 

When p([s]) > 0 we see that Y is exactly the p-average of X over equivalence 
classes associated to A: 



Y{s) 



1 

RR) 



E(1[,]A) 



2.5 The Example That Says It All 

Now that it is understood that in the finite state-space case conditional expecta- 
tions are averages over equivalence classes, we can consider a revealing example. 
Put S = {x,y, 0, 1}, S = 2‘®, L = {a} (there is only one label, so we will not 
even bother to write a in the kernels); /i({0})(x) = /i({l})(y) = 1 and every 
other state-to-state transition is of probability zero. Suppose A identifies x and 
y, and call the resulting class z. 

One can conceive of three ways to define a kernel k on the quotient space 
{z, 0, 1}. One can define the kernel as the infimum over {x, y} or dually one can 

® Recall that in this equation the left-hand side is a function while the right-hand side 
is a number; we mean to say that the function on the left is a constant function 
whose value is given by the right-hand side. 

Given a probability triple (S, X,p), a random variable X € mE is said to be indepen- 
dent of a sub-CT-algebra A if for any event A G cr(A) and B £ A, p{AC]B) = p{A)p{B). 
In particular, as one can easily verify, X is always independent of the trivial a-algebra 
ylo = {0,5} and by the remark above, Ep(A|ylo) = Ep(A) the ordinary uncondi- 
tional expectation of X. 
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take it to be the supremum: 

kim){z) = 0, = 0, h{{0, l})(z) = 1, 

/cs({0})(z) = 1, fcs({l})(z) = 1, fcs({0,l})(z) = 1, 

or else one can average (using here the uniform probability): 

A:,({0})(z) = 1/2, fca({l})(z) = 1/2, ka{{0,l}){z) = 1. 

As we said in the introduction, the use of the infimum results in super-additive 
kernels while the use of a supremum results in sub-additive kernels: 

ki{{0, 1})(2:) = 1 > /ci({0})(z) -h ki{{l}){z) = 0 
ks{{0, 1})(^) = 1 < A:,({0})(z) + A:,({l})(z) = 2 

Of the three options, only using averages preserve additivity: 

fca({0, l})(z) = 1 = /Ca({0})(z) -h fca({l})(z). 

Besides we observe that, perhaps not surprisingly, in all cases the kernel obtained 
by using averages is sandwiched between the others, e.g. : 

0 = fc,({0})(z) < /Ca({0})(z) = 1/2 < A:,({0})(z) = 1. 

The rest of the paper is essentially about structuring this nice concrete notion of 
approximant by averages as a general construction and explaining in what sense 
these approximants are actually approximating what they are supposed to be 
approximants of. 



2.6 Logic and Metric 

The other goal of having approximants that are customizable with respect to 
formulas of interest will be achieved by using the notion of expectation above 
with A a cr-algebra generated by a set of formulas of a suitable logic. We will 
prove that the approximant satisfies exactly the same formulas of the given set 
as does the process being approximated. 

The following logic is a central tool for asserting properties of LMPs, since 
it characterizes strong bisimulation between them [6]. 

6) := T, 0A0, {a)r0. 

The parameter r above can be any rational in [0, 1]. 

Definition 3. Given an LMP S, one defines inductively the map I.J 5 : £q ^ 
as: 

- ri5 = 

— |0Q A 01J5 = l^ols n 

” I(a)r6'l5 = {sG S \ h{a, [6»]]5)(s) > r}. 
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Let S be an LMP, one says s G S satisfies 9, written s |= 0, if s G one says 
S satisfies 9, still written 5 ^ 0, if there exists an s G S' such that s\= 9. Finally 
given another LMP S' and T a subset of formulas of £o> we write S S' \i S 
and S' satisfy the same formulas of T . 

As we have already said, we will take the simplifying stance that two LMPs 
are bisimilar iff they satisfy the same formulas. This was proven in the case 
of analytic state spaces and that is a general enough class to encompass any 
conceivable physical example. 

In [7] a family of metrics, for c G (0,1), has been introduced that is 
closely related to this logic. Indeed one can think of the metric as measuring the 
complexity of the distinguishing formula between two states if any. 

We do not need to give the precise definition of these metrics here, but we do 
want to use it to show convergence of approximants. This will be done using the 
following result which is a direct consequence of results relating the logic and 
the metric that can be found in [7]. 

Proposition 4. Let (iFi)igN 9e an increasing sequence of sets of formulas con- 
verging to the set of all formulas of Lq- LetS he an LMP and (5i)igN « sequence 
of LMPs. Then if Si S for every set Ti of formulas of Cq, then for all 
CG (0,1).- 

d"{Si, S) — >-i_,.oo0. 



3 When Ep(_|yl) Is Unique 

There is one thing we have to confront. As we noted before, conditional expec- 
tations are unique only “almost surely.” Now we want to use them to average 
our family of h{a, Q) and, from the definition of an LMP, we need these averages 
to be defined pointwise, not only up to p. Yet, in the case of finite systems, one 
option is to choose for p the uniform probability on S, in which case “almost 
surely” actually means “surely,” since only the empty set is in Afp. This, intu- 
itively, is because points are big enough chunks to be seen by the probability 
distribution. This leads to the following two definitions. 

Definition 5 (pixels). Let {S,E) be a measurable space, one says s and t G S 
are E -indistinguishable ifVQ G E, s G Q gg t G Q. 

This is an equivalence on S and we write [s]i; or sometimes simply [s] to denote 
the equivalence class of s. One has [s]i; = n{Q \ s G Q G E} so equivalence 
classes might not be measurable themselves unless E is countably generated, 
which is the case we are interested in. 

Definition 6 (granularity). Let {S,E,p) be a probability triple and A C E be 
a sub-a-algebra of E; p is said to he granular over A if for all s G S, [s]/i ^ Afp. 

In other words, p is granular over A if no A equivalence class is negligible. What 
this means intuitively is that the “pixellization” of A is always seen by p. It may 
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be instructive to point out that there are at most countably many equivalence 
classes in this case. 

As an example, we can take the probability triple ([0, 1]^, ^ 62 , A 2 ), where A 2 is 
the Lebesgue measure on the square, and A = [0, 1]. Then [s]a = {s} x [0, 1] G 

A and A 2 ([s]) = 0 so our p is not granular over this A. The measurable sets of 
A are very thin strips. They are too fine to be granular. But if we take a cruder 
A, namely that containing the squares [k/n,k + 1/n] x [h/n,h + 1/n] for fc, 
h < n (with n fixed), then [s]/i is such a square of A 2 -measure 1/n^, so here p is 
granular. 

The big payoff of granularity is the following 

Lemma 7 (Uniqueness lemma). Let {S, S,p) be a probability triple, ACS, 
p granular over A, X and Y both A-measurable, then: 

X = Y a.s. ^X = Y. 

So in this case “almost surely” does mean “surely !” 

Proof. Set Q := {s G S' I A(s) = a A U(s) = /?} and t € Q. One has Q G A, hy 
A-measurability of X and Y, but then [t]A C Q (otherwise Q splits [t]/i)- So by 
granularity p{Q) >0 (else [t]A is negligible), and therefore a = /3 or else X and 
Y differ on a non negligible set Q. □ 

So in this favourable circumstances we can do away with versions. If A G 
£^(S, S,p), and p is granular over A: 

Ep{X\A) : C\S, S,p)^C\S,A,p) 

is uniquely defined and we can proceed to the main definition. 

4 Projecting LMPs 

Definition 8 (projection of an LMP). Given {S,S) a measurable space, 
A a sub-a-algebra of S, p a probability on (S, S) granular over A, and S = 
{h{a,Q))aeL,Qes an LMP on {S,S), one defines the p-projection of S on A, 
written (S|A)p as: 

h'{a, Q) = Ep{h{a, Q)\A), for a £ L, Q £ A. 

Take note that this is the version of the conditional expectation. Existence follows 
from the fact that the h{a, Q) evidently are integrable with respect to p (they are 
measurable, positive and bounded by 1), in other words they are in C^{S, S,p). 

Proposition 9 (Staying within LMPs). (5|A)p is an LMP. 

Proof. All maps h'{a, Q) are A-measurable by definition of the conditional expec- 
tatioin; additivity is because Ep(_|A) is linear; continuity follows because Ep(_| A) 
is continuous as can be seen by using the conditional form of the monotone con- 
vergence theorem. □ 
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We may now round off the construction by changing the state space. 

Let us write [_]yi : S — >■ [S']/! for the canonical surjection to the set of equiv- 
alence classes and denote accordingly the quotient cr-algebra by [A] a. Then one 
can define the quotient LMP ([S]a, [^]/ 1 , k) with: 

k{a, B){[s]a) '■= h' {a,UB){t) :=Ep{h{a,UB)\A){t), 

with t £ [s]. Take note that the right hand side is independent of the choice 
of t G [sjyi since h'{a,Q) is ff-measurable, and therefore h'{a,Q) has to be 
constant on [s]/i (else the equivalence is split by an event in A). Moreover, [_]/i is 
a bisimulation morphism (which was formerly called a “zig-zag” [6]) from (Sjyl)p 
to ([S]/i, [A] A, k) and as such it preserves all £q properties. 

So far we have a quotient theory for LMPs when pixels are big enough, but 
everything hinges on the choice of an ambient p. This is the second problem we 
have to deal with. 

5 A “Uniform” Probability on (S, cr{Co)) 

The key is to construct an appropriate measure, and we will use Cq to do this. 
So, given an LMP S = and a fixed enumeration (0„) of Cq, we first 

define a sequence (S', of measurable spaces:^ 

To := {0,S}, An := a{l6j\s]i < n). 

Then for each n, we set := l[e „]5 and define a„ : {0, 1}" T„ as: 

an{x) = rii<„{s I n{s) = Xi}, 

with the convention that {0, 1}° = {*} and ao(*) = S. 

Each A„ is a finite boolean algebra and so has atoms (non empty sets in T„ 
with no proper subsets); each atom of T„ is the image by o;„ of a unique sequence 
X £ {0, 1}", but not all sequences are mapped to atoms, some are mapped to 
the empty set. 

Now the idea is to construct p stagewise and at each stage to divide evenly 
the mass of an atom an(x) £ An between its proper subsets in T„+i if there are 
some. Specifically, we define inductively on T„-atoms as: 

Po(0) = 0, po{S) = 1 

On + l(:r:0) ^ 0, Oin-t-l('^^l) ^ 0 Pn + l(Ori + l(»^^0)) — Pti-I-I (On + l (»^^ 1) ) — 2 ' Pn(o^n(x^^ 
Ori + l(:r:0) — 0, Qin-t-l('^^l) ^ 0 Pn + l(Ori + l(^0)) — 0, (Ori + l (^1) ) — Pn(o^n(x^^ 

a„+i(x0) 0, a„+i(a;l) = 0 ^ p„+i(a„+i(a:0)) = Pn{an{x)), p„+i(a„+i(a:l)) = 0 

Clearly each p„ extends to a unique probability on (S', T„) since it is defined 
on T„-atoms and the p„ are compatible in the sense that Pn-i-i [ A„ = Pn', 
the sequence p„ converges to some “skewed” Lebesgue measure p on ct(£o)> the 
cr-algebra generated by our temporal formulas.® 

For each n. An £ T„+i, this is usually called a filtration. 

To be exact, by a{jCo) we mean cr(|0|5;0 G jCq). 



5 
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First, we have to remind for future use that for any finite set of formulas 
T C Cq and the associated cr-algebra: 

p{[sW) > 2 -^ ( 2 ) 

where N = max{z | 9i G T}. 

Second, we observe that the p obtained here will depend on the original 
enumeration, and we leave for future investigation the question of whether there 
is a principled way of choosing p. In our case, all choices will work equally well. 

As an example we can consider the transition sytem with only state s, only 
one letter a and h{a, {s})(s) = 1/2. Then s ^ 0 iff all coefficients used in 9 are 
below 1/2. In this case, and as with all one-state systems, at any stage there will 
be at most one atom namely {s} and therefore p({s}) = 1. 

5.1 Compressing S 

But the reader might protest that to apply the projection, one needs a probability 
on an arbitrary S not just on ct(£q)- Well, in fact, it is enough to consider the 
latter case because: 

Proposition 10. cr(£o) is the smallest a-algebra which is closed under the 
shifts: 

{a)r{Q) = {s I h{a,s){Q) > r} 

That it is the smallest is obvious, but that it is closed is not [3]. 

Therefore, cr(£o) is always included in A, since S has to be stable by shifts 
(this is equivalent to asking that h{a, Q) are all A-measurable) and one can 
always ‘compress’ an LMP to cr{Co). The obtained LMP is obviously bisimilar to 
the first since by construction states are the same and their temporal properties 
remain the same as well. Without loss of generality, we may and will suppose 
thereafter that S = ct(£o)- 

6 Approximations 

Now we can complete the approximation construction. 

6.1 Finite-State Approximants 

Let 5 be a compressed LMP S = {S, S, h) with S = <t(£o), and .7^ C £q be a 
finite set of formulas, set A to be the cr-algebra, a(iF), generated by iF on S. 

We observe that by inequation (2), p is granular over A, so the machinery 
gets us a finite-state LMP approximant: 

5 = (5, A, h)^Sr = ([^]a, [A]n, k) 

which is the quotient constructed above after the appropriate projection. 

There are at most 21-^1 states in Sy^, in particular it is a finite-state proba- 
bilistic transition sytem. 
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6.2 Convergence 

We need to say how the obtained approximates S. In the previous ap- 
proach [8] , approximants were always below the approximated process and hence 
simulated by it. It was shown that they converge in the domain of all LMPs. It 
is not the case here since approximants are neither above nor below S. However, 
Sy^ does converge to S. 

Proposition 11. For every finite subformula-closed set of formulas T C £q' 

S. 

Proof. We prove something stronger, namely that if 6 G T, then U|0]5^ = |0]]5 
or equivalently that (recall that A = <T{fF)). This is done by 

induction on the structure of formulas in fF, which is why we ask T to be closed 
by subformulas. 

The only interesting case is when 9 = {a)^(f>. If all states in class [s] satisfy 9 
(equivalently if one state in [s] satisfies 9), that is to say if h{a, |</>] 5 )(t) > r for 
all t G [s], then obviously the conditional expectation is also above r and hence 
[s] satisfies 9 since: 

Ha,l4>is^)[s] := Ep(/i(a,U[[(()] 5 ^)|H)(t) = Ep(/i(a, |</)] 5 )|yl)(t) > r, 

where the first equation is by definition of k, and the second equation is by 
induction hypothesis. Conversely, if the conditional expectation on [s] (recall 
that it is constant on this set) is > r, then at least one t G [s] must satisfy 
h(a, [[(('] 5 )(t) > r. Since all states in [s] satisfy the same formulas of IF, then they 
all satisfy formula 9, as required. □ 

Notice that this proposition is also true for a logic extended with a greatest 
fixpoint operator [4,5].^ 

From Proposition 4, it follows now easily that: 

Theorem 2. If {Ti) is an increasing sequence of subformula-closed sets of for- 
mulas converging to the set of all formulas Lq, then for all c G (0, !).• 

— ^i->oo0. 

We could have taken another route to prove Proposition 11. As the exam- 
ple 2.5 suggested, quotients constructed with conditional expections do lie be- 
tween the inf- and the sup- approximants [5]: 

/c(a, [Q])([s]a) := h'{a,Q){s) 

= /[s]^ Q) Q) constant on [s]a 

= KH7) 4]^ <5) dp WaGA 

> inf(6[s]^ d(a, Q) 

^ The proof can be found in a survey of LMP approximation (to appear in ENTCS). 
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The second equation holds both because h'{a,Q) is constant on equivalence 
classes and because p is granular and therefore p([s]yi) > 0. The third equa- 
tion is the characteristic property of conditional expectations. A similar type of 
argument allows one to reason analogously for the supremum case. 

Thus another, indirect, way to prove the previous proposition, is to use this 
sandwiching effect and the fact that the infimum and supremum were proven 
to give approximations in the same sense as proposition 11 [5] . This also makes 
clear that the average-based approximants are better than the order-theoretic 
ones. 

7 Conclusion 

We have given an approximation technique for LMPs that has a number of good 
properties. It can be customized in the sense that if one is interested in a special 
set of formulas one can arrange the approximation so that one obtains a finite 
system (assuming that one had finitely many formulas) with the property that 
the formulas of interest are satisfied by the original system if and only if they 
are satisfied by the finite approximant. This brings the work much closer to the 
goal of using automated verification tools on continuous state space systems. 
This property is shared by the infima technique [5] however, unlike that result, 
we can also stay within the framework of traditional LMPs and avoid having to 
work with capacities. 

The results of this paper give yet another approximation construction and 
one may well wonder if this is just one more in a tedious sequence of construc- 
tions that are of interest only to a small group of researchers. In fact, we feel 
that there are some new directions in this work whose significance extends be- 
yond the properties of the construction. First, the idea of granularity is, we feel, 
significant. One of the big obstacles to the applicability of modern probability 
theory on general spaces to the computational setting has been the curse of non 
uniqueness embodied in the phrases “almost everywhere” and “almost surely” 
seen almost everywhere in probability theory. One can even argue that the bulk 
of the computer science community has worked with discrete systems to try and 
avoid this non uniqueness. Our use of granularity shows a new sense in which the 
discrete can be used to dispel the non uniqueness that arises in measure theory. 

The second important direction that we feel should be emphasized is the 
use of averages rather than infima. This should lead to better numerical prop- 
erties. More striking than that however is the fact that the simulation order 
is not respected by the approximants. Perhaps it suggests that some sort of 
non monotone approximation occurs. Similar phenomena have been observed by 
Martin [13] - which was the first departure from Scott’s ideas of monotonicity 
as being one of the key requirements of computability - and also in the context 
of non determinate dataflow [14] . 

One might ask why we do not mention any analytic space property contrarily 
to what is done in previous papers on LMPs. In fact, analyticity is needed if one 
wants to use the fact that the relational definition of bisimulation is characterized 
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by the logic. If one is happy with only the logic or the metric in order to compare 
or work with LMPs, there is no need for analyticity of the state space in the 
definition. However, if one indeed needs the analytic property of processes, the 
results of the present paper carry through since the quotient of an analytic space 
under countably many conditions is analytic, as reported in [9]. This follows 
essentially from well known facts about analytic spaces, see for example chapter 
3 of “Invitation to C'*-algebras” by Arveson [I]. 
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Abstract. This paper presents various semantics in the branching-time spectrum of 
discrete-time and continuous-time Markov chains (DTMCs and CTMCs). Strong 
and weak bisimulation equivalence and simulation pre-orders are covered and are 
logically characterised in terms of the temporal logics PCTL and CSL. Apart from 
presenting various existing branching-time relations in a uniform manner, our con- 
tributions are: (i) weak simulation for DTMCs is defined, (ii) weak bisimulation 
equivalence is shown to coincide with weak simulation equivalence, (iii) logical 
characterisation of weak (bi)simulations are provided, and (iv) a classification of 
branching-time relations is presented, elucidating the semantics of DTMCs, CTMCs 
and their interrelation. 



1 Introduction 

Equivalences and pre-orders are important means to compare the behaviour of transition 
systems. Prominent branching-time relations are bisimulation and simulation. Bisimula- 
tions [36] are equivalences requiring related states to exhibit identical stepwise behaviour. 
Simulations [30] are preorders requiring state s' to mimic s in a stepwise manner, but 
not necessarily the reverse, i.e., s' may perform steps that cannot be matched by s. Typi- 
cally, strong and weak relations are distinguished. Whereas in strong (bi)simulations, each 
individual step needs to be mimicked, in weak (bi)simulations this is only required for 
observable steps but not for internal computations. Weak relations thus allow for stuttering. 

A plethora of strong and weak (bi)simulations for labelled transition systems has been 
defined in the literature, and their relationship has been studied by process algebraists, 
most notably by van Glabbeek [22,23]. These “comparative” semantics have been ex- 
tended with logical characterisations. Strong bisimulation, for instance, coincides with 
CTL-equivalence [13], whereas strong simulation agrees with a “preorder” on the univer- 
sal (or existential) fragment of CTL [15]. Similar results hold for weak (bi)simulation where 
typically the next operator is omitted, which is not compatible with stuttering. 

For probabilistic systems, a similar situation exists. Based on the seminal works of [3 1 , 
35], notions of (bi)simulation (see, e.g., [2,7,8,11,12,24,27,28,32,38,40,41]) for models 
with and without nondeterminism have been dehned during the last decade, and various 
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logics to reason about such systems have been proposed (see e.g., [1,4,10,26]). This holds 
for both discrete probabilistic systems and variants thereof, as well as systems that de- 
scribe continuous-time stochastic phenomena. In particular, in the discrete setting several 
slight variants of (bi)simulations have been defined, and their logical characterisations 
studied, e.g., [3,17,21,19,40]. Although the relationship between (bi)simulations is frag- 
mentarily known, a clear, concise classification is - in our opinion - lacking. Moreover, 
continuous-time and discrete-time semantics have largely been developed in isolation, and 
their connection has received scant attention, if at all. 

This paper attempts to study the comparative semantics of branching-time relations for 
probabilistic systems that do not exhibit any nondeterminism. In particular, time-abstract 
(or discrete-time) fully probabilistic systems (FPS) and continuous-time Markov chains 
(CTMCs) are considered. Strong and weak (bi)simulation relations are covered together 
with their characterisation in terms of the temporal logics PCTL [26] and CSL [4,10] for 
the discrete and continuous setting, respectively. Apart from presenting various existing 
branching-time relations and their connection in a uniform manner, several new results are 
provided. For FPSs, weak bisimulation [7] is shown to coincide with PCTL\x -equivalence, 
weak simulation is introduced whose kernel agrees with weak bisimulation, and the preorder 
weakly preserves a safe (live) fragment of PCTL\x- In the continuous-time setting, strong 
simulation is defined and is shown to coincide with a preorder on CSL. These results 
are pieced together with various results known from the literature, forming a uniform 
characterisation of the semantic spectrum of FPSs, CTMCs and of their interrelation. 

Organisation of the Paper. Section 2 provides the necessary background. Section 3 defines 
strong and weak (bi)simulations. Section 4 introduces PCTL and CSL and presents the log- 
ical characterisations. Section 5 presents the branching-time spectrum. Section 6 concludes 
the paper. Some proofs are included in this paper; for remaining proofs, see [9]. 

2 Preliminaries 

This section introduces the basic concepts of the Markov models considered within this 
paper; for a more elaborate treatment see e.g., [25,33,34]. Let AP be a fixed, finite set of 
atomic propositions. 

Definition 1. A fully probabilistic system (FPS) is a tuple V = (S', P, L) where: 

— S is a countable set of states 

— P : S X S — >■ [0, 1] A a probability matrix satisfying ^ I®’ 

s G S 

— L : S ^ 2^^ is a labelling function which assigns to each state s G S the set L{s) of 

atomic propositions that are valid in s. ■ 

If P(s, s') = 1, state s is called stochastic, if this sum equals zero, state s is called 

absorbing; otherwise, s is called sub-stochastic. 

Definition 2. A (labelled) DTMC is an FPS where any state is either stochastic or absorb- 
ing, i.e., X^s'eS € { 0, 1 } for all s G S. ■ 

ForC C S,P(s,C) = E.'ec denotes the probability for s to move to a C- 

state. For technical reasons, P(s,_L) = 1 — P(s,S). Intuitively, P(s,_L) denotes the 
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probability to stay forever in s without performing any transition; although _L is not a 
“real” state (i.e., _L ^ S'), it may be regarded as a deadlock. In the context of simulation 
relations later on, _L is treated as an auxiliary state that is simulated by any other state. Let 
Sj^ = S U {_L}. Post(s) = {s' I P(s, s') > 0} denotes the set of direct successor states 
of s, and Postj^(s) = { s' G Sj_ | P(s, s') > 0 }, i.e., Post(s) U { _L | P(s, _L) > 0 }. 

We consider FPSs and therefore also DTMCs as time-abstract models. The name DTMC 
has historical reasons. A (discrete-)timed interpretation is appropriate in settings where all 
state changes occur at equidistant time points. For weak relations the time-abstract view 
will be decisive. In contrast, CTMCs are considered as time-aware, as they have an explicit 
reference to (real-)time, in the form of transition rates which determine the stochastic 
evolution of the system in time. 

Definition 3. A (labelled) CTMC is a tuple C = (S, R, L) with S and L as before, and 
rate matrix R : S' x S' — >■ such that the exit rate E(s) = X^s'eS is finite. ■ 

As in the discrete case, Post(s) = { s' | R (s,s') > 0 } denotes the set of direct successor 
states of s, and for CCS, R(s, C) = X^s'eC *0 denotes the rate of moving from 
state s to C via a single transition. 

The meaning of R(s, s') = A > 0 is that with probability 1 — * the transition 

s — s' is enabled within the next t time units (provided that the current state is s). If 
R(s, s') > 0 for more than one state s', a race between the outgoing transitions from s 
exists. The probability of s' winning this race before time t is ^ • (1 — With 

t ^ oo we get the time-abstract behaviour by the so-called embedded DTMC: 

Definition 4. The embedded DTMC of CTMC C = (S, R, L) is given by emb(C) = 
(S,P,L), where P(s,s') = R(s,s')/C(s) if E(s) > 0 and P(s,s') = 0 otherwise. 



A CTMC is called uniformised if all states in C have the same exit rate. Each CTMC can 
be transformed into a uniformised CTMCs by adding self-loops [39]: 

Definition 5. Let C = (S, R, L) be a CTMC and let (uniformisation rate) E be a real 
such that E ^ maxs^s E(.s). Then, unif(C) = (8,11, L) is a uniformised CTMC with 
R(s, s') = R(s, s') for s s', and R(s, s) = R(s, s) E — E(s). ■ 

In unif(C) all rates of self-loops are “normalised” with respect to E, such that state transi- 
tions occur with an average “pace” of E, uniform for all states of the chain. We will later 
see that C and unif(C) are related by weak bisimulation. 

Paths and the probability measures on paths in FPSs and CTMCs are defined by a 
standard construction, e.g., [25,33,34], and are omitted here. 

3 Bisimulation and Simulation 

We will use the subscript “d” to identify relations defined in the discrete setting (FPSs or 
DTMCs), and “c” for the continuous setting (CTMCs). 

Definition 6. [33,35,32,24] LetD = (S,P,L) be a EPS and Ran equivalence relation on 
S. a strong bisimulation on 22 [//or Si Rs^: L(si) = L(s 2 ) andP(si,C) =P(s 2 ,C) 
for all C in 8/ R. si and S 2 in D are strongly bisimilar, denoted si S 2 , if there exists a 
strong bisimulation RonD with si R S 2 - ■ 
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Definition 7. [14,28] Let C = {S, R, L) be a CTMC and R an equivalence relation on S. 
R is a strong bisimulation on C if for si R S2-' L{si) = L{s2) and R(si, C) = R(s2, C) 
for all C in S/R. si and S2 in C are strongly bisimilar, denoted si ~c S2. if there exists a 
strong bisimulation R onC with Si R S2- ■ 

As R(s, C) = P(s, C) • E{s), the condition on the cumulative rates can he reformulated 
as (i) P(si, C) = P(s2, C) for all C € S/R and (ii) E{si) = E{s2)- Hence, agrees 
with in the embedded DTMC provided that exit rates are treated as additional atomic 
propositions. By the standard construction, it can he shown that and are the coarsest 
strong hisimulations. 

Proposition 1. For CTMC C = (S', R, L): 

1 . Si ~c S2 implies Si S2 in emb{C), for any state S\,S2 G S. 

2 . ifC is uniformised then coincides with in emb{C). 

Definition 8 . A distribution on set S is a function /i : S — >■ [ 0 , 1 ] with ^('®) ^ 1 - * 

We put /r(_L) = 1 — denotes the set of all distributions on S. Dis- 

tribution /i on S is called stochastic if /i(_L) = 0 . For simulation relations, the concept of 
weight functions is important. 

Definition 9. [29,31] Let S be a set, R C S x S, and /i, p' € Distr{S). A weight function 
for p and p' with respect to R is a function A : S± x S± — >■ [ 0 , 1 ] such that: 

1 . A{s,s') > 0 implies s R s' or s = E 
2 - m(s) = Xs'eS_L 2 \{s, s') for any s G S_l 

3 . p'(s') = XseS_L ^{s,s')forany s' G S_l 

We write p p' (or simply C, if R is clear from the context) iff there exists a weight 
function for p and p' with respect to R. is the lift of R to distributions. ■ 

Definition 10. [31] Let V = (S,P , L) be a FPS and RQSxS.Risa strong simulation 
on T> if for all si i?S2.‘ 1 j(si) = L{s2) and P(si, •) P(s2, •)• S2 strongly simulates si 

in T>, denoted Si S2, iff there exists a strong simulation RonT> such that si R S2- ■ 

It is not difficult to see that si S2 implies si S2- For a DTMC without absorbing 
states, is symmetric and coincides with ^d, see [ 31 ]. 

Proposition 2. [5,16] For any FPS, (T coincides with ^d- 

Definition 11. LetC = (S', R, L) be a CTMC and R Q S x S. R is a strong simulation on 
C if for all si i?S2-' L{s\) = L{s2), P(si, •) Cjj P(s2, •) and E{si) ^ E{s2). S2 strongly 
simulates si in C, denoted si S2, iff there exists a strong simulation R on C such that 
SiRS2- ■ 



Proposition 3 . For any CTMC C: 

1 . Si S2 implies Si S2, for any state Si, S2 G S. 

2 . Si §2 implies Si E,d S2 in emb{C), for any state Si , S2 G S. 

'^c n coincides with 

4 . ifC is uniformised then Ac is symmetric and coincides with ~c- 




496 



C. Baier et al. 



Weak Bisimulation. In this paper, we only consider weak bisimulation which relies on 
branching bisimulation in the style of van Glabbeek and Weijland and only abstracts from 
stutter-steps inside the equivalence classes. While for ordinary transition systems branch- 
ing bisimulation is strictly finer than Milner’s observational equivalence, they agree for 
FPSs [7], and thus for CTMCs. 

Let T> = {S, P, L) be a DTMC and i? C S' x S' an equivalence relation. Any transition 
s ^ s' where s and s' are i?-equivalent is an i?-silent move. Let Silent/j denote the set of 
states s S S for which P(s, [s]ri) = 1, i.e., all stochastic states that do not have a successor 
state outside their i?-equivalence class. For any state s ^ Silent^, s' G S with s' ^ [s]/?: 

P(s, s') 

P(s, s' I no i?-silent move) = - — ^ ^ — y 

denotes the conditional probability to move from s to s' via a single transition under the 
condition that from s no transition inside [s]/j is taken. Thus, either a transition is taken 
to another equivalence class under R or, for sub-stochastic states, the system deadlocks. 
For C S with C fl [s]r = 0 let P(s, C | no i?-silent move) = X^s'eC I 

no i?-silent move) . 

Definition 12. [7] Let T> = ,L) be a FPS and R an equivalence relation on S. R is 

a weak bisimulation on V if for all si R S 2 .' 

1 . L(si) = L(s2) 

2. Ifsi, S 2 f. Silent/j then: P(si, C \ no i?-silent move) = P(s 2 , C \ no i?-silent move) 
for all C € S/R, C ^ [si]rj. 

3. If Si G Silent/j and S 2 ^ Silentj^ then si can reach a state s' G [sijrj \ Silent^j with 
positive probability. 

Si and S2 in T> are weakly bisimilar, denoted Si S 2 , iff there exists a weak bisinmlation 
RonT> such that si R S 2 - ■ 

By the third condition, for any i?-equivalence class C, either all states in C are i?-silent (i.e., 
P(s, C) = 1 for s € C) or for s G C there is a path fragment that ends in an equivalence 
class that differs from C. 



Example 1. For the following DTMC (where equally shaded states are equally labeled) the 
reachability condition is needed to establish a weak bisimulation for states Si and S 2 : 




9 



1 




1 



We have si S 2 , and si is Ri^-silent while S 2 is not. Here, the reachability condition 
is obviously fulfilled. This condition can, however, not be dropped; otherwise si and S 2 
would be weakly bisimilar to an absorbing state with the same labeling. ■ 



Definition 13. [12] LetC = {S, R, L) be a CTMC and R an equivalence relation on S. R 
is a weak bisimulation on C if for all si R S 2 : L{si) = L{s2) and R(si, C) = R(s 2 , C) 
for all C G S/R with C ^ [si]ri- si and S 2 in C are weakly bisimilar, denoted si «c S 2 . 
iff there exists a weak bisimulation RonC such that si R S 2 - ■ 
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Proposition 4. For any CTMC C: 

1 . ~c is strictly finer than «c- 

2 . ifC is uniformised then coincides with ~c- 

3 . coincides with in unif{C). 

The last result can be strengthened as follows. Any state s in C is weakly bisimilar to s 
considered as a state in unif{C). (For this, consider the disjoint union of C and unifiC) as 
a single CTMC.) 



Proposition 5. For CTMC C with si, S 2 G S: si «c S 2 implies si S2 in emb( C). 

Proof. Let i? be a weak bisimulation on C. We show that i? is a weak hisimulation on emb{C) 
as follows. First, observe that all i?-equivalent states have the same labelling. Assume si Rs2 and 
B = [si]h = [s2]fl. Distinguish two cases, (i) Si is i?-silent, i.e., P(si, B) = 1 . Hence, R(si, B) = 
B(si) and therefore 0 = R(si, C) = R(s2, C) for all C € S/R with C B. So, P(s2, B) = 1 . 
(ii) Neither si nor S2 is B-silent, i.e., P(si, B) < 1 , for i=l, 2 . Note that: 



E{si)= Y. R(si,C) + R(si,B) 

C6S/R 

CjtB 



As Si «c S2 ,R(si, C) = R(s2, C) for all C G S/RwithC f B. Hence, R(si, C) 

= "l^ces/R c^B rt('S2, C) and therefore B(si) — R(si, B) = B(s2) — R(s2,'b) (*). For any 
C G S/R with C f B we. derive: 



P(si, C I no B-silent move) = 



P(gi,C) 

l-P(si,B) 



B(si)-P(si,C) 

B(si)-B(si)-P(si,B) 



de/.R R(si,C) (*),si~cS2 R(S2,C) P(s2,C) 

B(si) — R(si, B) B(s2) — R(s2, B) 1 — P(s2,B) 

which, by definition, equals P(s2, C \ no B-silent move). So, si S2. ■ 



Remark 1 . Prop. 1.2 states that for a uniformised CTMC, coincides with on the 
embedded DTMC. The analogue for does not hold, as, e.g., in the uniformised CTMC 
of Example 1 we have si ~d S2 but si S2 as R(si, [m]) R(s2, [u]). Intuitively, 

although Si and S2 have the same time-abstract behaviour (up to stuttering) they have 
distinct timing behaviour. si is “slower than” S2 as it has to perform a stutter step prior to 
an observable step (from S2 to u) while S2 can immediately perform the latter step. Note 
that by Prop 4.2 and Prop. 1 . 2 , coincides with for uniformised CTMCs. In fact. 
Prop. 5 can be strengthened in the following way: is the coarsest equivalence finer than 

such that Si «c S2 implies R(si, S' \ [si]) = R(s2, S \ [S2]). ■ 

Weak Simulation. Weak simulation on FPSs is inspired by our work on CTMCs [ 8 ] . Roughly 
speaking, si ^ S2 if the successor states of si and S2 can be grouped into subsets Ui and 
Vi (assume, for simplicity, Ui C\Vi = 0 ). All transitions from Sj to Vi are viewed as 
stutter-steps, i.e., internal transitions that do not change the labelling and respect To 
that end, any state in Vi is required to be simulated by S2 and, symmetrically, any state 
in V2 simulates si. Transitions from Si to Ui are regarded as visible steps. Accordingly, 
we require that the distributions for the conditional probabilities u\ P(si, t 6 i)/iTi and 
U2 >— >■ P(s2, U2) / K2 to move from Si to Ui are related via a weight function (as for A^). Ki 
denotes the total probability to move from Si to a state in Ui in a single step. For technical 
reasons, we allow _L G C/i and _L G T). 
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simulated by s2 weight function 

condition 



simulating si 



Definition 14. Let V = (S', P, L) be a FPS and i? C S x S. R is a weak simulation 
on T> iff for si Rs2-' L(si) = L{s2) and there exist functions 5i : S±_ — >■ [ 0 , 1 ] and sets 
Ui, Vi C Sj_ (*= 1 , 2 ) with 

Ui = {ui€ Postj_(si) I Si{ui) > 0} and Vi = {vi G Postj_(s 0 | 6^{vi) < 1 } 
such that: 

1 . (a) Vi R S2for all V\ € Vi, V\ _L, and (b) Si Rv2for all V2 G V2, V2 -L 

2 . there exists a function A : S± x S± —> [ 0 , 1 ] such that: 

a) A{ui, U2) > 0 implies Ui G Ui, U2 G U2 and either Ui RU2 or Ui = _L, 

b) if K\ > 0 and K2 > 0 then for all states w G S: 

Ki- ^ A{w,u 2) = Si{w)-P{si,w), Kf- ^ A{ui,w) = 62 {w)-P{s2,w) 

U2^U-2 lilGC/l 



where Ki = for i=l,2 

3 . for ui G U\, U\ 1 . there exists a path fragment S2, Wi, . . . , Wn, U2 such that n ^ 0 , 
Si Rwj, 0 < j ^ n, and ui Ru2- 

S 2 weakly simulates si in T>, denoted si S 2 , iff there exists a weak simulation R onT> 
such that Si R S 2 - ■ 

Note the correspondence to Kid (cf- Def. 12), where [sij^; plays the role of Vi, while the 
successors outside [si]/} play the role of Ui, and the same for S 2 , V2 and 1/2- 

Example 2. In the following FPS we have si ^d S 2 ' 





First, observe that wi ^d W 2 since i? = { (gi, 52 ), i'Wi,W 2 ) } is a weak simulation, as we 
may deal with 



Comparative Branching-Time Semantics for Markov Chains 



499 



- the characteristic function of [7i = { gi , _L } (and, thus, Vi = 0 and K\ = 1) 

- 82 the characteristic function of [/2 = { r 2 , < 72 , -L } (and V 2 = 0 and K2 = 1 ) 

and the weight function Z\(<7i, ( 72 ) = ^(J-,t? 2 ) = ^,^{-^,^2) = ^(-L,-L) = 5- To 

establish a weak simulation for (si, S 2 ) consider the relation: 

R = {(si,S2), (ui,U2), {wi,W2), (gi,®)} 

and put Vi = {_L,Si} and V2 = 0 while Ui = {ui,Wi, -L} where i5i(_L) = 1/2, 
S^{ui) = 6i{wi) = <52(-L) = 1. Then, Ki = ^ + ^+ ^- ^ = l, K2 = \ + \ + ^ = l. 

This yields the following distribution for the U-successors of si and 52:^1 : 

L-.\,U 2 -.\,W 2 - ^andT : |.Notethat,e.g., = | and = i. 

Hence, an appropriate weight function is: Z\(mi,M 2 ) = A{wi,W 2 ) = Z\(_L,_L) = 

and Z\(-) = 0 for the remaining cases. Thus, according to Def. 14, i? is a weak simulation. 



Proposition 6. For any FPS T>: si S 2 implies si S 2 , and si S 2 implies si 
S2- 



Definition 15. [8] Let C = L) be a CTMC and RCSxS.Risa weak simulation 

onC ijffor Si Rs 2 -' T(si) = L{s 2 ) and there exist 6 i : S' — >■ [0, 1] andUi,Vi C S (f=l,2) 
satisfying conditions 1. and 2. of Def. 14 (ignoring _LJ and the rate condition: 

151(^1) • R(si,'Ui) ^ ^ S2(U2) ■ 11 ( 32 , U2) 

uiGUi U2GU2 

S 2 weakly simulates si in C, denoted si S 2 . iff there exists a weak simulation R on C 
such that si R S 2 - ■ 

The condition on the rates which replaces the reachability condition in FPSs states that S 2 
is “faster than” si in the sense that the total rate to move from S 2 to (the (52-part of) the 
C/ 2 -states is at least the total rate to move from si to (the (5i-part of) the Ui -states. Note that 
Ki-E(si) = ec/ Ui). Hence, theconditioninDef. 15 can be rewritten as 

Ki-E(si) ^ K 2 -E(s 2 ). In particular, K 2 = 0 implies Ki = 0. Therefore, a reachability 
condition as for weak simulation on FPSs is not needed here. 

Proposition 7. For CTMC C and states si, S 2 G S: 

1. Si S 2 implies Si ^d S 2 in emb(C). 

2. Si «c S 2 implies si S 2 - 

3. coincides with in unif(C). 

A few remarks are in order. Although and coincide for uniformised CTMCs (as 
agrees with ~c, ~c agrees with ~d, and ~d agrees with f^d), this does not hold for ^d and 
For example, in: 
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S 2 Si in the embedded DTMC (on the right), but S 2 si in the CTMC (on the left), 
as the rate condition in Def. 15 is violated. Secondly, note that the analogue of Prop. 7.3 
for does not hold. This can be seen by considering the above embedded DTMC (on the 
right) as a uniformised CTMC. Finally, we note that although for uniformised CTMCs, 

and Ric agree, a similar result for the simulation preorders does 
not hold. An example CTMC for which Si S 2 butsi S 2 

is depicted on the left. The fact that si ®2 follows from 
the weight function condition in Def. 11. To see that si 
S 2 , consider the reflexive closure i? of { (si, S 2 ) } and the 
partitioning Vi = { S 2 }, V 2 = { si } and Ui = U 2 = {u} 
for which the conditions of a weak simulation are fulhlled. 

Theorem 1. 

7. For any FPS, weak simulation equivalence coincides with tUd- 

2. For any CTMC, weak simulation equivalence coincides with 



2 




4 Logical Characterisations 



PCTL. In Probabilistic CTL (PCTL) [26], state-formulas are interpreted over states of a 
FPS and path-formulas are interpreted over paths (i.e., sequences of states) in a FPS. The 
syntax of PCTL is as follows*, where < € { ^ 



<P ::= tt 



a 






-n(p 



P<p{X^) 



V<ip{<PU<P) 






where p € [0,1] and a € AP. The satisfaction relation |= is similar to CTL, where s |= 
P<pi.p) iff Pr(s, <p) <p. Here, Pr(s, <p) denotes the probability measure of the set of paths 
starting in state s fulfilling path-formula p. As in CTL, X is the next-step operator, and the 
path-formula 77 <F asserts that 'F will eventually be satisfied and that at all preceding states 
<T> holds (strong until). W is its weak counterpart, and does not require F to eventually 
become true. The until-operator and the weak until-operator are closely related. For any 
PCTL-formula <P and W the following two formulae are equivalent: 

V^pi^WF) = V^i-p{{--F)U F)). 

A similar equivalence holds when the weak until- and the until-operator are swapped. 

* The bounded until-operator [26] is omitted here as for weak relations, FPSs are viewed as being 
time-abstract. For the strong relations on FPSs, this operator could, however, be considered without 
any problem. 
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CSL. Continuous Stochastic Logic (CSL) [10] is a variant of the (identically named) logic 
by Aziz et al. [4] and extends PCTL by operators that reflect the real-time nature of CTMCs: 
a time-bounded until-operator and a steady-state operator. We focus here on a fragment of 
CSL where the time bounds of (weak) until are of the form f”; other time bounds can 
be handled by mappings on this case, cf. [6]. The syntax of CSL is, for real t, or t = oo: 



::= tt 


















S<3p{^) 



To have a well-defined steady-state operator it is assumed that the steady-state probabilities 
in the CTMC do exist for any starting state. Intuitively, S^p{<P) asserts that on the long run, 
the probability for a ^-state meets the bound <p. The path-formula 'F asserts that 

S' is satisfied at some time instant before t and that at all preceding time instants <P holds 
(strong until). The connection between the until-operator and the weak until-operator is as 
in PCTL. 



Logical Characterisation of Bisimulation. In both the discrete and the continuous setting, 
strong bisimulation (~d and ~c) coincides with logical equivalence (in PCTL and CSL, 
respectively) [3,6,19]. For weak bisimulation, the next-step operator is ignored, as it is not 
invariant with respect to stuttering. Let PCTL\x denote the fragment of PCTL without the 
next-step operator; similarly, CSL\jf is defined. PCTL^jf -equivalence (denoted =pctl^x) 
and CSL\jf -equivalence (=csl\x) defined in the obvious way. 

Theorem 2. For any FPS: coincides with PCTL\x -equivalence. 

Proof. By structural induction on the syntax of PCTL^x -fomiulae. We only consider the until op- 
erator. Let ip = <L\U $ 2 - By the induction hypothesis we may assume that SatifLi) for i=l, 2 is 
a disjoint union of equivalence classes under Let B = [s]a:d- Then, B n Sat{4>i) — 0 or 
B C SatifLi). Only the cases B C SatifLi) and B n Sat{$ 2 ) = 0 are of interest; otherwise, 
Pr(si, ip) = Pr(s 2 , (p) G { 0, 1 } for all si, S 2 G B. Let S' be the set of states that reach a ^ 2 -state 
via a (non-empty) <?i-path, i.e.. S'' = { s G Sat{L>i) \ Sat{<l> 2 ) \ Pr(s, p) > 0 }. It follows that S' 
is the disjoint union of equivalence classes under 

We first observe the following. For s f. S', Pr(s, (p) G {0,1}. For s G S', the vector 
(Pr( s,p is the unique solution of the equation system: 

Xs =P{s,Sat{<l> 2 )) + ^ P(s,s')-a;s' (1) 

a' eSat(4>i)\Sal(4>2) 

For any «d-equivalence class B C S', select sb & B such that P{sb,B) < 1. Such state is 
guaranteed to exist, since if P(s, B) would equal 1 for any s G B then none of the B-states can 
reach a ^ 2 -state, contradicting being in S' . Now consider the unique solution (3 ;b)sgs/»,j,scs' °f 
the equation system: 



xb = P{sB,Sat{^2)) + ^ P(ss,C)-a:c- 

CCS' 

A calculation shows that the vector {xs)aeS' where Xs = xb if s G B is a solution to (1). Hence, 
Xb ~ Pr(s, p) for all states s G B. 

The fact that PCTL^x -equivalence implies Rid is proven as follows. W.l.o.g. we assume S to be 
finite and that any equivalence class C under =pctl^x represented by a PCTL\x -formula <Lc. (for 
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infinite- state CTMCs approximations of master-formulae can be used). For PCTL\x equivalence 
classes B and C with B ^ C, consider the path formulae ip = ‘I' bU and tp = o-i$b. Then, 
Pr(si, ip) — Pr(s 2 , P>) andPr(si, V>) = Pr(« 2 , V’) for any Si, S 2 G B. In particular, if P(s, B) < 1 
for some s £ B then Pr(s, ip) > 0. Hence, for any s' £ B there exists a path leading from s' to a 
state not in B. Assume that si, S 2 £ B and that P(si, B) < 1 for i=l, 2. Then: 



Pr(si,v9) 



P(si,C) 

l-P(si,B)' 



This is justified as follows. If Pr(si, p) = 0, then obviously P(si, C) — 0. Otherwise, by instanti- 
ating the equation system in (1) with S' = B, $2 ~ ^1 = it can easily be verified that the 

vector with the values Xs = (for s G B) is a solution. ■ 



Proposition 8. For CTMC C, s in C, and CSL\x -formula <P: s \= <l> iff s ^ ^ in unif{C). 

Proof. By induction on the syntax of <1>. For the propositional fragment the result is obvious. For the 
S- and B-operator, we exploit the fact that steady-state and transient distributions in C and unif(C) 
are identical, and that the semantics of if and agrees with transient distributions [6]. ■ 



Proposition 9. For any uniformised CTMC: =csl coincides with 

Proof. The direction is obvious. We prove the other direction. Assume CTMC C is uniformised 
and si, S 2 be states in C. From Prop. 1.1 and the logical characterisations of ~c and it follows: 

Si =CSL S2 iff Si ~c S2 iff Si S2 iff Si =PCTL S2. 



Hence, it suffices to show that =csLyx implies =pctl\x (f°*' uniformised CTMC). This is done by 
structural induction on the syntax of PCTL-formulae. Clearly, only the next step operator is of interest. 
Consider PCTL-path formula p = XT’. "By induction hypothesis Sat{T) is a (countable) union of 
equivalence classes of =csl^x • ’■f'® following, we establish for si =csl,^x 

V{si,Sat(T)) = P(s2,&r(‘^)) that is Pr(si,A<f) = Br{s 2 ,XT). 



Let B = [si]_ = [s 2 ]= . First observe that Pfsi, B) = P(s 2 , B); otherwise, if, e.g., 

P(si,B) < P(s 2 , B) one would have Pr(si, < Pr(s 2 , for some sufficiently 

small t, contradicting si =csl^x •S 2 - As in the proof of Theorem 2 we assume a finite state space and 
that any =csL\x‘®tltil''al6uce class C can be characterised by CSL\x formula Tc- Distinguish: 

- P(si, B) = P(s 2 , B) < 1. Using the same arguments as in the proof of Theorem 2 we obtain: 



Br{si,TBUT) 



V{si,Sat{T)) . r. 
l-P(si,B)’ 



As Si =csLyx ■sz and TbUT is a CSL\x-path formula we get: Pr(si,^sif^) = 
Pv{s 2 ,TbU T). Since P(si, B) = P(s 2 , B), it follows P(si, 5flf(^)) = P(s 2 , Sat(^)). 

- P(si, B) = P(s 2 , B) = 1. As SatifF) is the union of equivalence classes under =csLyx’ the 
intersection with B is either empty or equals B. For i = 1, 2: P(si, 5flf(^)) = lifB C SatifF) 
and 0 if B n 5af(^) = 0. Hence, P(si,5ar(^) = P(s 2 , Saf($)). 



Thus, Si =PCTL S 2 . 
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Theorem 3. 


For any CTMC: f 


coincides with CSL\x'^^uivalence. 


Proof. 


Si S2 




iff 


unifiC) 


(by Prop. 4.3) 


iff 


unifiC) 

5l 52 


(by Prop. 4.2) 


iff 


_unif(C) 
—CSL ®2 


(since and CSL-equivalence coincide) 


iff 


_unif(C) 

— CSL\x 


(by Prop. 9) 


iff 


~CSL\x 


(by Prop. 8) 



Logical Characterisation of Simulation, for DTMCs without absorbing states equals 
[31], and hence, equals =pctl- For FPS where is non-symmetric and strictly coarser 
than a logical characterisation is obtained by considering a fragment of PCTL in the 
sense that si f^d S2 iff all PCTL-safety properties that hold for S2 also hold for si . A similar 
result can be established for and a safe fragment of CSL. 



Safe and Live Fragments of PCTL and CSL. In analogy to the universal and existential 
fragments of CTL, safe and live fragments of PCTL and CSL are defined as follows. We 
consider formulae in positive normal form, i.e., negations may only be attached to atomic 
propositions. In addition, only a restriced class of probability bounds is allowed in the 
probabilistic operator. The syntax of PCTL-safety formulae (denoted by <^5) is as follows: 



ff 



A <L>s 



V <L>s 



V^p{X<Pl) V^p{^sW^s) 



PCTL-liveness formulae (denoted by 'Ll) are defined as follows: 



ff 



<T>l a L>l 



<Pl V <Pl 



V^piX^L) V-^p{<PlW<Pl) 



V^p{<PlU<Pl) 



As a result of the aforementioned relationship between U and >V, there is a duality between 
safety and liveness properties for PCTL, i.e., for any formula <l>s there is a liveness property 
equivalent to and the same applies to liveness property <L>]^. Safe and live fragments 
of CSL are defined in an analogous way, where the steady-state operator is not considered, 
see [8]. 



Logical Characterisation of Simulation. Let si §2 iff for all PCTL-safety formulae 
'^S' S 2 H implies si \= <Ps- Likewise, si ^^11, *2 iff this implication holds for all 

PCTL\jf -safety formulae. The preorders and ^reTL\x defined similarly, and the 
same applies for the preorders corresponding to the safe and live fragments of CSL and 
CSL\x- The first of the following results follows from a result by [17] for a variant of 
Hennessy-Milner logic. The fourth result has been reported in [8]. The same proof strategy 
can be used to prove the second and third result [9]. We conjecture that the converse of the 
third and fourth result also holds. 
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Theorem 4. 

7. For any FPS: coincides with and with ^‘p^. 

2. For any CTMC: coincides with and with 

3. For any FPS: ^d ^ ^ ^PCT-i^^- 

4. For any CTMC: C and C 

5 The Branching- Time Spectrum 

Summarising the results obtained in the literature together with our results in this paper 
yields the 3-dimensional spectrum of branching-time relations depicted in Fig. 1. All strong 
bisimulation relations are clearly contained within their weak variants, i.e., ^^d C ~d and 
~c ^ ~c- The plane in the “front” (black arrows) represents the continuous-time setting, 
whereas the plane in the “back” (light blue or gray arrows) represents the discrete-time 
setting. Arrows connecting the two planes (red or dark gray) relate CTMCs and their 
embedded DTMCs. R — R' means that R is finer than R' , while R R' means that 
R is not finer than R'. The dashed arrows in the continuous setting refer to uniformised 
CTMCs, i.e., if there is a dashed arrow from R to R', R is finer than R' for uniformised 
CTMCs. In the discrete-time setting the dashed arrows refer to DTMCs without absorbing 
states. Note that these models are obtained as embeddings of uniformised CTMCs (except 
for the pathological CTMC where all exit rates are 0, in which case all relations in the picture 




Fig. 1. Spectrum of branching-time relations for CTMCs and DTMCs 
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agree). If a solid arrow is labeled with a question mark, we claim the result, but have no 
proof (yet). For negated dashed arrows with a question mark, we claim that the implication 
does not hold even for uniformised CTMCs (DTMCs without absorbing states). The only 
difference between the discrete and continuous setting is that weak and strong bisimulation 
equivalence agree for uniformised CTMCs, but not for DTMCs without absorbing states. 

The weak bisimulation proposed in [2] is strictly coarser than and thus does not 
preserve =pctL\x- ordinary, non-probabilistic branching-time spectrum is more di- 
verse, because there are many different weak bisimulation-style equivalences [23]. In the 
setting considered here, the spectrum spanned by Milner-style observational equivalence 
and branching bisimulation equivalence collapses to a single “weak bisimulation equiva- 
lence” [7] . Another difference is that for ordinary transition systems, simulation equivalence 
is strictly coarser than bisimulation equivalence. Further, in this non-probabilistic setting 
weak relations have to be augmented with aspects of divergence to obtain a logical charac- 
terisation by CTL\x [37]. In the probabilistic setting, divergence occurs with probability 
0 or 1, and does not need any distinguished treatment. 

6 Concluding Remarks 

This paper has explored the spectrum of strong and weak (bi)simulation relations for count- 
able fully probabilistic systems as well as continuous-time Markov chains. Based on a 
cascade of definitions in a uniform style, we have studied strong and weak (bi)simulations, 
and have provided logical characterisations in terms of fragments of PCTL and CSL. The 
definitions have three ingredients: (1) a condition on the labelling of states with atomic 
propositions, (2) a time-abstract condition on the probabilistic behaviour, and (3) a model- 
dependent condition: a rate condition for CTMCs (on the exit rates in the strong case, and 
on the total rates of “visible” moves in the weak case), and a reachability condition on 
the “visible” moves in the weak FPS case. The strong FPS case does not require a third 
condition. 

As the rate conditions imply the corresponding reachability condition, the “continu- 
ous” relations are finer than their “discrete” counterparts, and the continuous-time setting 
excludes the possibility to abstract from stuttering occurring with probability While 
weak bisimulation in CTMCs (and FPSs) is a rather fine notion, it is the best abstraction 
preserving all properties that can be specified in CSL (PCTL) without next-step. 
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Abstract. We introduce a characterisation of probabilistic transition 
systems (PTS) in terms of linear operators on some suitably defined 
vector space representing the set of states. Various notions of process 
equivalences can then be re-formulated as abstract linear operators re- 
lated to the concrete PTS semantics via a probabilistic abstract inter- 
pretation. These process equivalences can be turned into corresponding 
approximate notions by identifying processes whose abstract operators 
“differ” by a given quantity, which can be calculated as the norm of the 
difference operator. We argue that this number can be given a statistical 
interpretation in terms of the tests needed to distinguish two behaviours. 



1 Introduction 

We study the notion of relation on a set X in terms of linear operators on a space 
representing the elements in A. In this setting classical relations corresponds to 
0/1 matrices. By considering matrices with generic (numerical) entries, we gen- 
eralise the classical notion by introducing quantitative relations. We will concen- 
trate on a special type of quantitative relations, namely probabilistic transition 
relations. These represent a central notion in probabilistic process algebra [19], 
where process semantics and thus the various process equivalences are defined 
in terms of probabilistic transition systems (PTS) . 

We introduce a technique for defining approximated versions of various pro- 
cess equivalences, which exploits the operator algebraic view of quantitative rela- 
tions. The fact that these quantities correspond in a PTS to probabilities allows 
for a statistical interpretation of the approximation according to the “button- 
pushing experiments” view of process semantics [22,31]. 

The technique is based on the definition of a PTS as a continuous linear oper- 
ator on a Hilbert space built out of the states and actions. Process equivalences 
are special linear operators which correspond to some probabilistic abstractions 
of the PTS semantics. By using some appropriate operator norm we are then 
able to quantify equivalences, and use the resulting measure £ to define corre- 
sponding notions of approximate equivalences. These £-relations are no longer 
equivalence relations but instead they approximate equivalence relations. 
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We will illustrate our approach on two process semantics, namely graph iso- 
morphism and a generic notion of probabilistic bisimulation, which we will char- 
acterise by using the Probabilistic Abstract Interpretation framework introduced 
in [13,14]. The possibility of reasoning in terms of a non-exact semantics is im- 
portant for program analysis, where it is often more realistic to consider a margin 
of tolerance in the identification of two processes. For example, in the area of 
security, approximate versions of process equivalences can be used to define se- 
curity properties which reflect more closely the various security problems which 
occur in practice. For the approximate version of bisimulation, which we call 
£-bisimulation, we will mention possible applications in this area. This approach 
has been adopted in [12,11], where an approximate notion of observational equiv- 
alence is considered to address the problem of confidentiality. 

2 Quantitative Relations 

Standard models in semantics are usually based on a qualitative concept of a 
relation RC XxX, which states whether two elements are related or not. We are 
concerned here with quantitative (more precisely probabilistic) relations. Such 
relations not only specify which elements in X are related, but also how “strong” 
this relation is. As an example, probabilistic transition relations are quantitative 
relations which specify how likely it is that one state is reachable from another. 
We begin with an investigation of the general notion of quantitative relation, 
which we characterise as a linear operator; we then apply these general results 
to the special case of probabilistic transition relations, which are at the base of 
the process equivalences we will study in the following. 

Definition 1. (i) A quantitative or weighted relation R over a space X with 
weights in W is a subset R C X xW x X . 

(ii) A labelled quantitative relation L is a subset LCXxAxWxX, where 
A is a set of labels. 

(iii) A probabilistic relation P is a quantitative relation with W = [0,1], i.e. 
P C X X [0, 1] X X, where for each x G X the function fix '■ X [0, 1] 
defined by Hxiu) = P for {x,p, y) G P is a distribution, i.e. for a fixed x G X: 
J2y^x h'xiy) = J2{x,p,y)&pP — 1 - 

We will consider here only quantitative relations over countable sets X and 
finite sets of labels A. Furthermore we will assume complex weights, i.e. W = C, 
as we can embed the other common weight sets, e.g. Z, . . . , K, easily in C. 

Note that for numerical weights - i.e. for W a ring, field, etc. - we can 
interpret RCXxWxXasa, function P : A1 x AT — >■ W by adding all the 
weights associated to the same pair {x, y) G X x X, i.e. R{x, y) = ^ w. 

2.1 Linear Representations 

Qualitative as well as quantitative relations have a simple representation as linear 
operators. In order to define the matrix associated to a relation on a set X, we 
first have to lift X to a vector space. 
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Definition 2. The vector space V{X) over a set X is the space of formal linear 
combinations of elements in X with coefficients in some field W (e.g. W = C) 
which are represented by sequences of elements in W indexed by elements in X: 

V(X) = {(c,),6X I c, GW}. 

We associate to each relation R C X x X a 0/ 1-matrix, i.e. a linear operator 
M(i?) on V{X) defined by: 



(M(i?))a:i/ — 



1 iff {x, y) G R 
0 otherwise 



where x,y G X, and (M(i?))a;y denotes the entry in column x and row y in the 
matrix representing M(i?). Analogously, the matrix representing a quantitative 
relation RCXxWxX is defined by: 



(M(i?))a;y — 



w iff (x, w,y) € R 
0 otherwise 



Note that these definitions rely on the interpretation of (numerical) quanti- 
tative relations as functions mentioned above. For probabilistic relations, where 
W = [0,1], we obtain a stochastic matrix, that is a positive matrix where the 
entries in each row sum up to one. 

For finite sets X the representation of (quantitative) relations as linear oper- 
ators on V{X) ~ C" is rather straightforward: since all finite dimensional vector 
spaces are isomorphic to the n-dimensional complex vector space C" for some 
n < oo, their topological structure is unique [18, 1.22] and every linear operator 
is automatically continuous. For infinite (countable) sets, however, the algebra 
of infinite matrices which we obtain this way is topologically “unstable” . The al- 
gebra of infinite matrices has no universal topological structure and the notions 
of linearity and continuity do not coincide. It is therefore difficult, for example, 
to define the limit of a sequence of infinite matrices in a general way. In [15] Di 
Pierro and Wiklicky address this problem by concentrating on relations which 
can be represented as elements of a C*-algebra, or concretely as elements in 
B{P), i.e. the algebra of bounded, and therefore continuous linear operators on 
the standard Hilbert space t^{X) C V{X). This is the space of infinite vectors: 

f I Xi G C : ^ \xi\^ < oo}. 

The algebraic structure of a C*-algebra allows for exactly one norm topology 
and thus offers the same advantages as the linear algebra of finite dimensional 
matrices. A formal justification for this framework is given in [15]. We just 
mention here that the representation of (probabilistic transition) relations as 
operators on £^(A) - and not for example on (which a priori might seem 

to be a more appropriate structure, e.g. [20]) - allows us to treat “computational 
states” and “observables” as elements of the same space (as Hilbert spaces are 
self-dual). Furthermore, this approach is consistent with the well established 
study of (countable) infinite graphs via their adjacency operator as an element 
in ^(£2), e.g. [23]. 
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2.2 Probabilistic Transition Relations 

A labelled transition system specifies a class of sequential processes V on which 
binary predicates — ^ are defined for each action a a process is capable to per- 
form. Probabilistic Transition Systems (PTS) are labelled transition systems 
with a probabilistic branching: a process p can be in a relation — ^ with any p' 
in a set S of possible successors with a given probability p{p') such that p forms 
a distribution over the set S [19,21]. 

Given a countable set S, we call a function tt : S' i— >■ [0, 1] a distribution on S 
iff denote by Dist{S) the set of all distributions on S. Every 

distribution corresponds to a vector in the vector space V(S). Furthermore as 

< a; for a; G [0, 1] we have XsgS — XsgS distribution 

corresponds to a vector in £'^{S) C V(S). 

Given an equivalence relation ^ on S and a distribution tt on S, the lifting of 
7T to the set of equivalence classes of ^ in S, S/^, is defined for each equivalence 
class [s] G S/^ by 7t([s]) = Xs'g[s] K is straightforward to show that this 

is indeed a distribution on S/^ (e.g. [19, Def 1 & Thm 1]). We write -k ^ g ii 
the lifting of tt and g coincide. 

Definition 3. A probabilistic transition system is a tuple (S', A, — >, ttq ), where: 

— S is a non-empty, countable set o/ states, 

— A is a non-empty, finite set o/ actions, 

— — > Q S X A X Dist(S) is a transition relation, and 

— TTo G Dist{S) is an initial distribution on S. 

For s G S, a G A and tt G Dist{S) we write s tt for (s,a,7r) G — >■. By 
s t we denote the transition to individual states t with probability 7r(t). 

The above definition of a PTS allows for fully probabilistic as well as non- 
deterministic transitions as there might be more than one distribution associated 
to a state s and an action a. In this paper we will concentrate on fully proba- 
bilistic models where a non-deterministic choice never occurs. 



Definition 4. Given a probabilistic transition system X = (S, A, — >-,7ro), we 
define its matrix or operator representation X = (M(X), M(7ro)) as the direct 
sum of the operator representations of the transition relations for each a G A: 

m(x) = 0m(A4), 

aeA 



and \A\ copies of the vector representing tto.' M(7To) = 

In the following we will denote by Mq. 

Given a set {Mi}Xi of Ui x mi matrices, then the direct sum of these matrices 
is given by the (XLi ^ (XLi matrix: 



m = 0m, 

i 



/Ml 0 0 ... 0 \ 
0 Ma 0 . . . 0 

Vo 0 O...Mfc7 
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Distributions are represented by vectors in the vector space ^^(S')©. . .©£^(5') = 
(^ 2 )|A| ^ The matrix M(AT) represents a linear operator on this space. 

It is easy to see that starting with M(7 To) and applying M(X) repeatedly for 
n steps we get the distributions corresponding to the n-step closure of — ^ (by 
summing up the factors in the direct sum). More precisely: 

— Take an initial ttq G Dist{S) and represent it as a vector M(7 To) G V(5') 

— Combine \A\ copies of M(7 To) to obtain M(7 To)I‘^I = M(7To). 

— Apply M(A) = to this vector. 

— Obtain (0„g_4M„)(M(^o)'-^') = 0„g^ M„(M(^o))- 

— Denote the factors by M(7r(,) = Mq,(M(7To)). 

— Construct the compactification M(7 Ti) = 

— Restart the iteration process with tti. 

For the sake of simplicity we will denote by PX the multiplication of a direct 
sum 0^ P of the same matrix P with the matrix X = 0^ Xq. By the properties 
of the direct sum this is the same as ©JPXa). 

Given a PTS X = (S', A, — >-,7ro) and a state p G S, we denote by Sp C S 
the set of all states reachable from p, by T{p) the transition system induced on 
the restricted state space Sp, and by M(p) the matrix representation of T{p). 

3 Probabilistic Abstract Interpretation 

Probabilistic Abstract Interpretation was introduced in [13,14] as a probabilistic 
version of the classical abstract interpretation framework by Cousot & Cousot 
[5,6]. This framework provides general techniques for the analysis of programs 
which are based on the construction of safe approximations of concrete semantics 
of programs via the notion of Galois connection [7,25]. Probabilistic abstract 
interpretation re-casts these techniques in a probabilistic setting, where linear 
spaces replace the classical order-theoretic based domains, and the notion of 
Moore-Penrose pseudo-inverse of a linear operator replaces the classical notion 
of a Galois connections. It is thus essentially different from approaches applying 
classical abstract interpretation to probabilistic domains [24]. 

By a probabilistic domain we mean a space which represents the distributions 
Dist{S) on the state space A of a PTS, i.e. in our setting the Hilbert space 
For finite state spaces we can identify V(S') ~ ^^(<S). 

Definition 5. Let C and T> be two probabilistic domains. A probabilistic ab- 
stract interpretation is a pair of bounded linear operators A : C ^ T> and 
G : 2? — >■ C, between (the concrete domain) C and (the abstract domain) V, 
such that G is the Moore-Penrose pseudo-inverse of A, and vice versa. 

The Moore-Penrose pseudo-inverse is usually considered in the context of 
so-called least-square approximations as it allows the definition of an optimal 
generalised solution of linear equations. The Moore-Penrose pseudo-inverse of a 
linear map between two Hilbert spaces is defined as follows (for further details 
see e.g. [4], or [3]): 
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Definition 6. Let C and V be two Hilbert spaces and A \ C ^ T> a linear map 
between them. A linear map = G : 2? e- >■ C is the Moore-Penrose pseudo- 
inverse of A iff 

Ao G — Pa and G o A = Pg 

where Pa and Pq denote orthogonal projections onto the ranges of A and G. 

A simple method for constructing a probabilistic abstract interpretation 
which we will use in this paper is as follows: given a linear operator (L on some 
Hilbert space V expressing the probabilistic semantics of a concrete system, and 
a linear abstraction function A \ V ^ Yd from the concrete domain into an 
abstract domain W, we compute the Moore-Penrose pseudo-inverse G = A^ of 
A. The abstract semantics can then be defined as the linear operator on the 
abstract domain W: 

S' = A o ^ o G. 

Moore-Penrose inverses always exist for operators on finite dimensional vector 
spaces [3]. For operator algebras, i.e. operators over infinite dimensional Hilbert 
spaces, the following theorem provides conditions under which the existence of 
Moore-Penrose inverses is guaranteed [3, Thm 4.24]: 

Theorem 1. An operator A : C — >■ 2? between two Hilbert spaces is Moore- 
Penrose invertible if and only if it is normally solvable, i.e. if its range {Aa; | x € 
C} is closed. 

For the special case of operators A which are defined via an approximating 
sequence (A„)„ of finite-dimensional operators, we are not only guaranteed that 
the Moore-Penrose pseudo-inverse exists, but we can also construct it via an 
approximation sequence provided that the sequence (A„)„ and the sequence 
(A*)„ of their adjoints converges strongly to A and A* [3, Cor 4.34]. In the 
strong operator topology a sequence of operators (A„)„ converges strongly if 
there exists an A G such that for all x € lim l]A„a: — A®]] = 0. 

n—¥oo 

Proposition 1. Let A : C ^ T> be an operator between two separable 
Hilbert spaces. Lf there is a sequence A„ of finite dimensional operators with 
sup„ IJAnj] < oo and such that A„ — !> A and A* —>■ A* strongly, then A is 
normally solvable and Aj^ — >■ A'^ strongly. 

This construction is sufficient for most cases as it can be shown that the 
operational or collecting semantics of finitely branching processes can always be 
approximated in this way [15]. 

4 Approximate Process Equivalences 

In the classical approaches process equivalences are qualitative relations. Alter- 
natively, process equivalences can be seen as a kind of quantitative relations, 
namely probabilistic relations. One advantage of having a quantity (the proba- 
bility) attached to a relation is that we can calculate the behavioural difference 
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between two processes and use the resulting quantity to define approximate no- 
tions of equivalences. The latter weaken strict equivalences by identifying pro- 
cesses whose behaviour is “the same up to e” , e being the approximation error. 

The e versions of process equivalences are closely related to approaches which 
aim to distinguish probabilistic processes by statistical testing. A general set- 
ting for a statistical interpretation of e is provided by the concept of hypothesis 
testing, see e.g. [28]. The problem can be stated as follows: given two processes 
A and B let us assume that one of these is executed as a black-box process 
X, i.e. we know that either X = A or X = B. The idea is to formulate two 
(exclusive) hypotheses Hq : X is A and Hi : X is B. The aim is to determine 
the probability that either Hq or Hi holds based on a number of statistical tests 
performed on X. The number e gives us a direct measure for how many tests 
we have to perform in order to accept Hq or Hi with a certain confidence. In 
essence: the smaller the e, the more tests we have to perform in order to obtain 
the same level of confidence. 

The details of the exact relation between the number of required tests n to 
distinguish Hq and Hi with a certain confidence a are not easy to be worked out 
in general, but can in principle be achieved using methods from mathematical 
statistics. More details for a concrete case - applied to the problem of proba- 
bilistic confinement related to the simple notion of process equivalence based on 
input/output observables - can be found in [12,11]. 

Approximate equivalences turn out to be very useful in program analysis 
where they can be used to define approximate and yet more realistic analyses of 
programs properties, such as confinement [12,11,10], which are directly defined 
in terms of some process equivalences. 

In order to define approximate process equivalences we first look at rela- 
tions as linear operators; then using an appropriate operator norm we measure 
the “distance” between relations. In this way we are able to define a relation 
which is e-close to the strict (original) equivalence. For the characterisation of 
equivalence relations as linear operators we use the framework of probabilistic 
abstract interpretation. In particular, we will show that each equivalence on 
a given system corresponds to a pair of Moore-Penrose pseudo-inverses which 
define a probabilistic abstract interpretation of the system. 



4.1 Graph Equivalence 

To illustrate our basic strategy for approximating process equivalences let us 
first look at the strongest - in some sense too strong [31, Fig 1] - notion of 
process equivalence, that is tree equivalence. Following [31, Def 1.3] the graph 
associated to a process p of a labelled transition system with actions A is a 
directed graph rooted in p whose edges are labelled by elements in A. Two 
processes are tree equivalent if their associated graphs are isomorphic. Graph 
isomorphism is defined as follows ([31, Def 1.3, Def 1.4], [17, p2]): 

Definition 7 . An isomorphism between directed graphs {Vi,Ei) and {V2,E2) is 
a bijection ip : Vi V2 such that (v,w) € Ei {(p{v) , (p{w)) G E2. 
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In the usual way, we define the adjacency operator A(X) of a directed graph 
X = {y, E) as an operator on representing the edge-relation E [23]. Then 

the notion of isomorphism between (finite) graphs can be re-stated in terms of 
permutation matrices. 

An n X n-matrix P is called a permutation matrix if there exists a permu- 
tation 7T : {1, . . . , n} — >■ {1, . . . , n} such that = 1 iff j = 7 t(i) and otherwise 
Pjj = 0. This notion can easily be extended to permutation operators for infinite 
structures. 

We denote by V{n) the set of all n x n permutation matrices and by V{%) 
the set of permutation operators on ’H; obviously we have V{n) = P(C”). 

Proposition 2. For any permutation operator P G V{T-L) the following holds: 
P~^ = P* = P^ = pt^ j.e. inverse, adjoint, transpose, and pseudo-inverse of 
permutation operators coincide. 

We then have the following result [17, Lemma 8.8.1]: 

Proposition 3. Let X = {V,E\) andY = (V,E 2 ) be two directed graphs on the 
same set of nodes V. Then X and Y are isomorphic if and only if there is a 
permutation operator P such that the following holds: P^A(A)P = A(F). 

By using these notions and the operator representation of (probabilistic) tran- 
sition systems (cf. Definition 4) we can reformulate tree-equivalence of processes 
as follows. 

Proposition 4. Given the operator representations X and Y of two probabilis- 
tic transition systems X = (S', A, — >-,so) and Y = {S', A, — >■^SQ) with jSj = 
jS'j, then X and Y are tree-equivalent iff there exists P G V{!?{S)) = V{i^{S')), 
such that: 

P^XP = Y, 

i.e. for all a G A we have P^M(~'A;.jp — j and P^ttqP = ttq. 

Therefore, tree equivalence of two systems X and Y corresponds to the exis- 
tence of an abstraction operator (the operator P) which induces a probabilistic 
abstract interpretation Y of X. 

Approximate Graph Equivalence. In the case where there is no P which satisfies 
the property in Proposition 4, i.e. X and Y are definitely not isomorphic, we 
could still ask how close X and Y are to being isomorphic. The most direct 
way to define a kind of “isomorphism defect” would be to look at the difference 
X — Y between the operators representing X and Y and then measure in some 
way, e.g. using a norm, this difference. 

Obviously, this is not the idea we are looking for: it is easy to see that the 
same graph - after enumerating its vertices in a different ways - has different 
adjacency operators; it would thus have a non-zero “isomorphism defect” with 
itself. To remedy this we have to allow first for a reordering of vertices before 
we measure the difference between the operators representing two probabilistic 
transition systems. This is the underlying idea behind the following definition. 
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Definition 8. Let X = (S', A, — >-,7ro) and Y = {S', A, — be probabilistic 
transition systems over the same set of actions A, and let X and Y be their 
operator representations. We say that X and Y are £-graph equivalent, denoted 
by X Y, iff 

inf IIP^XP- Y|| =£ 

Pev 

where ||.|| denotes an appropriate norm. 

Note that, in the case of finite probabilistic transition systems, for £ = 0 we 
recover the original notion of (strict) graph equivalence, i.e. 

Proposition 5. An e -isomorphism for e = 0, i.e. of finite transition sys- 
tems is an isomorphism. 

We believe that a similar proposition can be stated for infinite PTS’s too. 
However, this would require the development of a more elaborate operator alge- 
braic framework for modelling PTS’s than the one presented in this paper, and 
we refer to [15] for a more detailed treatment of this case. 



4.2 Probabilistic Bisimulation Equivalence 

The finest process equivalence is bisimulation equivalence [31]. Bisimulation is 
a relation on processes, i.e. states of a labelled transition system. Alternatively, 
it can be seen as a relation between the transition graphs associated to the 
processes. The classical notion of bisimulation equivalence for labelled transition 
systems is as follows, e.g. [31, Def 12]: 

Definition 9. A bisimulation is a binary relation on states of a labelled 
transition system satisfying for all a € A: 

p q and p p' =k 3q' : q q' and p' q' , 

p ^b q and q q' =k 3p' : p p' and q' p'. 

Given two processes p and q, we say that they are bisimilar if there exists a 
bisimulation relation such that p ^b q- Bisimulations are equivalence relations 
[31, Prop 8.1]. 

The standard generalisation of this notion to probabilistic transition systems, 
i.e. probabilistic bisimulation, is due to [21]. We will concentrate here on fully 
probabilistic systems or reactive systems in the terminology of [19]. In this model 
all states s G S are deterministic in the sense that for each action a G A, there 
is only one distribution tt such that s tt. 

Definition 10. [19, Def 4] [9, Def 3.2] A probabilistic bisimulation is an equiv- 
alence relation on states of a probabilistic transition system satisfying for all 
a G A: 

a a 



p ^b q and p 



7T =k <7 



g and it g. 
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We now introduce the notion of a classification operator which we will use 
to define a probabilistic bisimulation equivalence via a probabilistic abstract 
interpretation. A classification matrix or classification operator is given by an 
(infinite) matrix containing only a single non zero entry equal to one in each row, 
and no column with only zero entries. Classification operators simply represent a 
classical relation, i.e. is a 0/1 matrix, which happens to be a (surjective) function 
from one state space into another. 

Classification matrices and operators are thus particular kinds of stochastic 
matrices and operators. We denote by C{n,m) the set of all n x m-classification 
matrices, and by C{'Hi,'H 2 ) the set of classification operators; again we have 
C(n,m) =C(C”,C™). 

Obviously, every permutation matrix is also a classification matrix: V{n) C 
C{n,n), and similarly V{'H) C Furthermore, the multiplication of two 

classification operators gives again a classification operator. These properties 
follow easily from the following correspondence between classification operators 
and equivalence relations: 

Proposition 6. Let X he a countable set. Then for each equivalence relation 
K, on X there exists a classification operator K G C{£'^{X),£‘^(X/~)) and vice 
versa. 

For finite sets with 1X1=77, and |X/~| = m we get a classification matrix in 
C(n, to). 

Proposition 7. The pseudo-inverse of a classification operator K corresponds 
to its normalised transpose or adjoint (these operations coincide for real K/. 

The normalisation operation J\f is defined for a matrix A by A/”(A)^ = if 
Oj = ^ - Aij 0 and A/’(A)ij = 0 otherwise. Although the classification operator 
K represents a classical function, i.e. corresponds to an (infinite) 0/1-matrix, the 
pseudo-inverse will in general not be an (infinite) 0/ 1-matrix. 

It is easy to see that a probabilistic bisimulation equivalence ~ on a PTS 
T = (S', A, — >•, 7To) defines a probabilistic abstract interpretation of T. In fact, by 
Proposition 6, there is a classification matrix K G C{£‘^{S),£'^{S'), for some S' 
which represents If M(T) is the operator representation of T then M(T)K 
is the abstract operator induced by K. Intuitively, this is an operator which 
abstracts the original system T by encoding only the transitions between equiv- 
alence classes instead of the ones between single states. 

Consider now two processes p,q G S and their operator representations M(p) 
and M(g). The restrictions of K to these two sets of nodes, which we call Kp 
and Kg, are the abstraction operators for the two processes p and q and allow 
us to express exactly the condition for the probabilistic bisimilarity of p and q: 

Proposition 8. Given the operator representation M(p) and M(g) of two 
probabilistic processes p and q, then p and q are bisimilar iff there exists a 
Kp G C(£^(Sp),£^(S)) and G C(£^(Sg),£^(S)) for some set S such that 



KtM(p)Kp = KtM(g)K,. 
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Corollary 1. Given the matrix representation M(p) and M(< 7 ) of two processes 
p and q. Then p and q are bisimilar, i.e. p q, iff there exists a PTS x which 
is the probabilistic abstract interpretation of both p and q. 



Example 1. Consider the following two processes A and B from [21, Fig. 4]: 





1:6 



1:6 



1:6 



The corresponding matrices are: 



M(A) = M„(H) © Mfc(A) = 



and 



111 



/ " 3 3 3 " " 
000000 




' U U U U L 
0 0 0 0 1 


. 0 


000000 




000001 


000000 


0 


000000 


000000 




000000 


Vo 0 0 0 0 oy 




Vo 0 0 0 0 oy 




yofiov 




/O 0 0 0\ 






0 0 0 0 




0 0 0 1 




— 


0 0 0 0 


0 


0 0 0 0 






Vo 0 0 oy 




Vo 0 0 oy 








The classification operators and their pseudo-inverses are given by: 

/I 0 0 0\ 

0 10 0 
0 10 0 
0 0 10 
0 0 0 1 
\o 0 0 ly 



K. = 



k \ = 



/I 0 0 0 0 0\ 
0 i i 0 0 0 
000100 
Vo 0 oo^y 



and Kb and are simply 4x4 identity matrices. We then get: 

kV • M,(yl) • = Ma(B) 

K^^-Mt{A)-KA = Mb{B) 



which shows that A and B are probabilistically bisimilar. 

The matrix formulation of (probabilistic) bisimulation makes it also easy to 
see how graph and bisimulation equivalence are related, as V{n) C C{n,n) we 
have: 
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Proposition 9. If p q then p ~t, q. 

Note that probabilistic bisimulation is only related to a particular kind of 
probabilistic abstract interpretation: we consider only abstractions which are 
induced by classification matrices and not by more general ones. The relation 
between abstract interpretation and (bi) simulation has been recognised before 
in the classical Galois connection based setting ([8], [27]), but this appears to be 
the first investigation of such a relation in a probabilistic setting. 

Approximate Bisimulation Equivalences. When it is not possible to find a bisim- 
ulation equivalence for two processes p and g of a PTS T, we can still identify 
them although only approximately. In order to do so, we introduce an e-version 
of probabilistic bisimilarity. The intuitive idea is to find a classification operator 
K which is the closest one to a bisimulation relation in which p and q are equiv- 
alent. The difference between the abstract operators induced by K for the two 
processes will give us an estimate of the non-bisimilarity degree of p and q. 

Definition 11. Let T = {S, A, — >, tto) be a probabilistic transition systems and 
let p and q be two states in S with operator representations X and Y. We say 
that p and q are e-bisimilar, denoted by p q, iff 

min ||KtXKp-KtYK,||=e 

fcC- 

where ||.|| denotes an appropriate norm. 

In determining the “degree of similarity” e of two processes X and Y our 
aim is to identify two “abstract processes” K^XK^ and K^XK^ such that their 
behaviour is most similar. The concrete numerical value of e depends on the norm 
we choose and the type of classification operators we consider. In particular, 
we can strengthen the above definition by restricting the number of “abstract 
states”, i.e. the dimension of Kp and K^, in order to obtain an estimation e: 
relative to only those equivalences with a fixed number of classes. 

Note that it is possible to use this definition also to introduce an approximate 
version of the classical notion of bisimulation. Furthermore, for e: = 0 we recover 
partially the original notion of strict (probabilistic) bisimulation: 

Proposition 10. An e -bisimulation for e = 0, i.e. is a (probabilistic) bisim- 
ulation for finite transition systems. 

For infinite PTS, the same remarks as for Proposition 5 apply. 

Example 2. In this example we will use a more “probabilistic” form of PTS 
which are called generative in [26]. In this model the probability distribution on 
the branching takes into account the internal decision of the process to react to 
a given action. Thus the transition relation is a subset of S' x Dist{A x S). 

Let us compare the following, obviously somehow “similar” , processes: 



A = fix A.b : A -\-i a : 0 
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B = a : 0 + 3 (fix X.b : X + 1 a : 0) 

C = a : 0 + 1 (fix X.b : X +_5i_ a : 0) 
2 100 ' 

Their transition graphs are given by: 




I I 

•4 ,4 



These processes are not probabilistically bisimilar. However one can try to 
determine how similar they are. The matrix representations are as follows: 



A = M(A) = Ma(H) © Mfa(A) = 



B = M(H) = M,(H) © Mb{B) = 



-(oi) 


1 © ( 


voo; 


o 

o 

o 




o 

o 

o 


0 0 0 0 




0 0 0 0 


0 0 0 i 


© 


o 

o 

o 


\0 0 0 0^ 




\0 0 0 0/ 



C = M(C') = Ma(C) © Mb(C) = 



^oio 
0 0 0 



0 
0 

0 0 0 — 
u u u 100 

\0 0 0 0 J 



/OO i 0\ 
0 0 0 0 
OOifO 

\0 0 0 oj 



The problem is to find a K^, 



difference between 



K\AKa 



and 



Kb, 
t 



and Kc G C such that the norm of the 
or kJ^CKc is minimal. There is 



only a finite (though exponentially growing) number of possible classification 
operators K G C. A brute force approach looking at all possible K allows us 
to determine the £-bisimilarity of A and B, and of A and C. Interestingly the 
optimal K = Kb = Kc is coincidentally the same for both B and C: 



K = 



1 0 

Voi; 



Kt = 



i 0 i 0 
0 i 0 i 



while for we can take the identity. 

Measuring the difference based on the operator norm leads to the following: 
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5 Conclusions 

In this paper we have investigated quantitative relations, in particular proba- 
bilistic transition relations. We were able to extend the classical framework of 
Abstract Interpretation to a quantitative domain by taking the Moore-Penrose 
pseudo-inverse as an appropriate replacement for the order-theoretic concept 
of Galois connections. Based on this methodology of Probabilistic Abstract In- 
terpretation, previously introduced only in a finite dimensional setting [13], we 
recast (probabilistic) process equivalences in terms of linear operators. This for- 
mulation has a very strong resemblance to notions of similarity in mathematical 
control theory, e.g. [29, Def 4.1.1]. Finally we were able to weaken strict process 
equivalences to approximate ones. This provides a novel approach towards the 
notion of approximative or e-bisimilarity and adds new aspects to existing ap- 
proaches, like those based on metrics [16] or pseudo-metrics [9,30]. In particular, 
our approach allows for a statistical interpretation of the approximation e which 
relates this quantity to the number of tests we need to perform in order to accept 
a given hypothesis with a certain confidence in a “hypothesis testing” approach 
to statistical testing. This is particularly important in a security context; we 
are confident that these notions of approximate similarity can be fruitfully em- 
ployed in security related applications, such as approximate confinement, which 
provided the original motivation for this work [12]. Aldini et al. adopted a similar 
approach to study probabilistic non-interference in a CSP-like language [1]. 
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